From 6d1da3da6ababafbc1ee69f1e23e28765a48695a Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Tue, 13 Aug 2019 18:39:56 -0700
Subject: [PATCH] Add cluster role as a kubebuilder tag.

---
 config/rbac/role.yaml                | 16 ++++++++--------
 controllers/stepissuer_controller.go |  1 +
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 8a4277a..67dd2d5 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -6,6 +6,14 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - certmanager.k8s.io
   resources:
@@ -43,11 +51,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
diff --git a/controllers/stepissuer_controller.go b/controllers/stepissuer_controller.go
index 04abdd8..4e7e778 100644
--- a/controllers/stepissuer_controller.go
+++ b/controllers/stepissuer_controller.go
@@ -41,6 +41,7 @@ type StepIssuerReconciler struct {
 
 // +kubebuilder:rbac:groups=certmanager.step.sm,resources=stepissuers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=certmanager.step.sm,resources=stepissuers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 
 // Reconcile will read and validate the StepIssuer resources, it will set the
 // status condition ready to true if everything is right.
-- 
GitLab