From 7abe6bcce8bd0c77c01030c66c73097d85497ca2 Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Fri, 9 Aug 2024 15:13:01 +0200
Subject: [PATCH 1/2] fix(helm): use the same scc as olm

---
 .../helm/secret-operator/templates/roles.yaml | 45 +++++++++++++++++--
 1 file changed, 42 insertions(+), 3 deletions(-)

diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml
index 379c90ed..30bde47f 100644
--- a/deploy/helm/secret-operator/templates/roles.yaml
+++ b/deploy/helm/secret-operator/templates/roles.yaml
@@ -1,3 +1,40 @@
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+---
+    apiVersion: security.openshift.io/v1
+    kind: SecurityContextConstraints
+    metadata:
+      name: stackable-secret-operator-scc
+      annotations:
+        kubernetes.io/description: SCC for Stackable secret operator
+    allowHostDirVolumePlugin: true
+    allowHostIPC: false
+    allowHostNetwork: false
+    allowHostPID: false
+    allowHostPorts: false
+    allowPrivilegeEscalation: true
+    allowPrivilegedContainer: true # Needed because otherwise we get spec.template.spec.containers[0].volumeMounts.mountPropagation: Forbidden: Bidirectional mount propagation is available only to privileged containers
+    allowedCapabilities: null
+    defaultAddCapabilities: null
+    fsGroup:
+      type: RunAsAny
+    groups: []
+    priority: null
+    readOnlyRootFilesystem: false
+    requiredDropCapabilities:
+    - MKNOD
+    runAsUser:
+      type: RunAsAny
+    seLinuxContext:
+      type: MustRunAs
+    supplementalGroups:
+      type: RunAsAny
+    users: []
+    volumes:
+    - downwardAPI
+    - projected
+    - hostPath
+    - emptyDir
+{{ end  }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -67,11 +104,13 @@ rules:
       - podlisteners
     verbs:
       - get
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
   - apiGroups:
     - security.openshift.io
     resourceNames:
-    - privileged
+      - stackable-secret-operator-scc
     resources:
-    - securitycontextconstraints
+      - securitycontextconstraints
     verbs:
-    - use
+      - use
+{{ end  }}

From f5941a22d2c3bff360e6a4f093efebbbd9364ebb Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Sun, 11 Aug 2024 19:30:58 +0200
Subject: [PATCH 2/2] fix indentation

---
 deploy/helm/secret-operator/templates/roles.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml
index 30bde47f..8eb6173a 100644
--- a/deploy/helm/secret-operator/templates/roles.yaml
+++ b/deploy/helm/secret-operator/templates/roles.yaml
@@ -106,7 +106,7 @@ rules:
       - get
 {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
   - apiGroups:
-    - security.openshift.io
+      - security.openshift.io
     resourceNames:
       - stackable-secret-operator-scc
     resources: