trying to fix the deployment and rbac

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

deploy/charts/external-secrets/templates/cert-controller-rbac.yaml

@@ -84,8 +84,18 @@ rules:
     - {{ printf "%s-webhook" (include "external-secrets.fullname" .) | quote }}
     verbs:
     - "update"
-    - "create"
     - "patch"
+  {{- if and .Values.v2.enabled .Values.providers.enabled }}
+  - apiGroups:
+    - ""
+    resources:
+    - "secrets"
+    resourceNames:
+    - "external-secrets-provider-tls"
+    verbs:
+    - "update"
+    - "patch"
+  {{- end }}
   - apiGroups:
     - "coordination.k8s.io"
     resources:

deploy/charts/external-secrets/templates/provider-secret.yaml

@@ -0,0 +1,10 @@
+{{- if and .Values.v2.enabled .Values.providers.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: external-secrets-provider-tls
+  namespace: {{ template "external-secrets.namespace" . }}
+  labels:
+    {{- include "external-secrets.labels" . | nindent 4 }}
+    app.kubernetes.io/component: provider-certificates
+{{- end }}

deploy/charts/external-secrets/tests/cert_controller_rbac_test.yaml

@@ -107,3 +107,38 @@ tests:
               - "watch"
               - "update"
               - "patch"
+  - it: should not grant access to the provider tls secret when providers are disabled
+    documentIndex: 0
+    asserts:
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - "secrets"
+            resourceNames:
+              - "external-secrets-provider-tls"
+            verbs:
+              - "update"
+              - "patch"
+  - it: should scope provider tls secret update/patch by resourceNames when v2 providers are enabled
+    documentIndex: 0
+    set:
+      v2:
+        enabled: true
+      providers:
+        enabled: true
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - "secrets"
+            resourceNames:
+              - "external-secrets-provider-tls"
+            verbs:
+              - "update"
+              - "patch"