fix: remove proxy clusterrole

DoodleScheduling · Dec 7, 2023 · 9ec6182 · 9ec6182
1 parent 0ae57a7
commit 9ec6182
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -307,7 +307,7 @@ It is recommended to configure all realms to run with the proxy.
 
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: keycloakrealm-proxy
 rules:
@@ -331,8 +331,8 @@ metadata:
   name: keycloakrealm-default
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: keycloakrealm-default
+  kind: Role
+  name: keycloakrealm-proxy
 subjects:
 - kind: ServiceAccount
   name: keycloakrealm-default
@@ -377,9 +377,6 @@ spec:
       serviceAccount: keycloakrealm-default
 ```
 
-**Note**: The proxy needs read access to keycloakrealms as well as patch access to the /status subresource.
-In the example above there is a ClusterRole called keycloakrealm-proxy granting just that. This ClusterRole also is bundled in the helm chart, you may use {releaseName}-reconcile-proxy for the RoleBinding.
-
 ## Installation
 
 ### Helm

diff --git a/chart/keycloak-controller/templates/clusterrole.yaml b/chart/keycloak-controller/templates/clusterrole.yaml
@@ -1,20 +1,6 @@
 {{- if .Values.clusterRBAC.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-metadata:
-  name: {{ template "keycloak-controller.fullname" . }}-reconcile-proxy
-rules:
-- apiGroups: ["keycloak.infra.doodle.com"]
-  resources:
-  - keycloakrealms
-  verbs: ["get"]
-- apiGroups: ["keycloak.infra.doodle.com"]
-  resources:
-  - keycloakrealms/status
-  verbs: ["get", "update", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   name: {{ template "keycloak-controller.fullname" . }}
   labels: