fix(charts): gate externalsecrets write RBAC on processClusterExternalSecret (#6332)

Signed-off-by: Krisztián Kern <krisztian.kern@ericsson.com>
Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>

deploy/charts/external-secrets/templates/rbac.yaml

@@ -195,6 +195,7 @@ rules:
     verbs:
     - "create"
     - "patch"
+  {{- if .Values.processClusterExternalSecret }}
   - apiGroups:
     - "external-secrets.io"
     resources:
@@ -203,6 +204,7 @@ rules:
     - "create"
     - "update"
     - "delete"
+  {{- end }}
   {{- if .Values.processPushSecret }}
   - apiGroups:
     - "external-secrets.io"

deploy/charts/external-secrets/tests/rbac_test.yaml

@@ -125,3 +125,47 @@ tests:
             - "serviceaccounts/token"
             verbs:
             - "create"
+
+  - it: should include externalsecrets create/update/delete when processClusterExternalSecret is true
+    set:
+      processClusterExternalSecret: true
+    documentIndex: 0
+    asserts:
+      - isKind:
+          of: ClusterRole
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-controller
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+            - "external-secrets.io"
+            resources:
+            - "externalsecrets"
+            verbs:
+            - "create"
+            - "update"
+            - "delete"
+
+  - it: should not include externalsecrets create/update/delete when processClusterExternalSecret is false
+    set:
+      processClusterExternalSecret: false
+    documentIndex: 0
+    asserts:
+      - isKind:
+          of: ClusterRole
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-controller
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+            - "external-secrets.io"
+            resources:
+            - "externalsecrets"
+            verbs:
+            - "create"
+            - "update"
+            - "delete"