feat(charts): scope cert-controller RBAC to managed CRDs and webhook secret (#6481)

Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>
Signed-off-by: somaz <genius5711@gmail.com>

deploy/charts/external-secrets/templates/cert-controller-rbac.yaml

@@ -14,6 +14,17 @@ rules:
     - "get"
     - "list"
     - "watch"
+  - apiGroups:
+    - "apiextensions.k8s.io"
+    resources:
+    - "customresourcedefinitions"
+    resourceNames:
+    - "externalsecrets.external-secrets.io"
+    - "secretstores.external-secrets.io"
+    {{- if .Values.crds.createClusterSecretStore }}
+    - "clustersecretstores.external-secrets.io"
+    {{- end }}
+    verbs:
     - "update"
     - "patch"
   - apiGroups:
@@ -65,6 +76,13 @@ rules:
     - "get"
     - "list"
     - "watch"
+  - apiGroups:
+    - ""
+    resources:
+    - "secrets"
+    resourceNames:
+    - {{ printf "%s-webhook" (include "external-secrets.fullname" .) | quote }}
+    verbs:
     - "update"
     - "patch"
   - apiGroups:

deploy/charts/external-secrets/tests/cert_controller_rbac_test.yaml

@@ -0,0 +1,109 @@
+suite: test cert controller rbac
+templates:
+  - cert-controller-rbac.yaml
+tests:
+  - it: should keep get/list/watch on customresourcedefinitions cluster-wide
+    documentIndex: 0
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - "apiextensions.k8s.io"
+            resources:
+              - "customresourcedefinitions"
+            verbs:
+              - "get"
+              - "list"
+              - "watch"
+  - it: should scope customresourcedefinitions update/patch to the managed CRDs by resourceNames
+    documentIndex: 0
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - "apiextensions.k8s.io"
+            resources:
+              - "customresourcedefinitions"
+            resourceNames:
+              - "externalsecrets.external-secrets.io"
+              - "secretstores.external-secrets.io"
+              - "clustersecretstores.external-secrets.io"
+            verbs:
+              - "update"
+              - "patch"
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - "apiextensions.k8s.io"
+            resources:
+              - "customresourcedefinitions"
+            verbs:
+              - "get"
+              - "list"
+              - "watch"
+              - "update"
+              - "patch"
+  - it: should exclude clustersecretstores from the scoped CRD rule when createClusterSecretStore is false
+    documentIndex: 0
+    set:
+      crds:
+        createClusterSecretStore: false
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - "apiextensions.k8s.io"
+            resources:
+              - "customresourcedefinitions"
+            resourceNames:
+              - "externalsecrets.external-secrets.io"
+              - "secretstores.external-secrets.io"
+            verbs:
+              - "update"
+              - "patch"
+  - it: should keep get/list/watch on secrets cluster-wide
+    documentIndex: 0
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - "secrets"
+            verbs:
+              - "get"
+              - "list"
+              - "watch"
+  - it: should scope secret update/patch to the webhook secret by resourceNames
+    documentIndex: 0
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - "secrets"
+            resourceNames:
+              - "RELEASE-NAME-external-secrets-webhook"
+            verbs:
+              - "update"
+              - "patch"
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - "secrets"
+            verbs:
+              - "get"
+              - "list"
+              - "watch"
+              - "update"
+              - "patch"