From d9575f8bd7ca291bcb4191af8f715765af4e282e Mon Sep 17 00:00:00 2001
From: Hunter Gregory <42728408+huntergregory@users.noreply.github.com>
Date: Tue, 1 Oct 2024 12:00:24 -0700
Subject: [PATCH] fix: scope Hubble TLS CronJob's secret access to its
 namespace (#799)

# Description

Use minimal required RBAC. CronJob only needs access to secrets in its
namespace.

## Checklist

- [x] I have read the [contributing
documentation](https://retina.sh/docs/contributing).
- [x] I signed and signed-off the commits (`git commit -S -s ...`). See
[this
documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
on signing commits.
- [x] I have correctly attributed the author(s) of the code.
- [x] I have tested the changes locally.
- [x] I have followed the project's style guidelines.
- [ ] I have updated the documentation, if necessary.
- [ ] I have added tests, if applicable.

## Tests

Secrets were still created, Hubble Relay ran with no issues, and `hubble
observe flows` works

Signed-off-by: Hunter Gregory <42728408+huntergregory@users.noreply.github.com>
---
 .../tls-cronjob/{clusterrolebinding.yaml => rolebinding.yaml}  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 rename deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/{clusterrolebinding.yaml => rolebinding.yaml} (92%)

diff --git a/deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/clusterrolebinding.yaml b/deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/rolebinding.yaml
similarity index 92%
rename from deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/clusterrolebinding.yaml
rename to deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/rolebinding.yaml
index 5938f16cc4..eca15c6f7d 100644
--- a/deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/clusterrolebinding.yaml
+++ b/deploy/hubble/manifests/controller/helm/retina/templates/hubble/tls-cronjob/rolebinding.yaml
@@ -1,8 +1,9 @@
 {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: hubble-generate-certs
+  namespace: {{ .Release.Namespace }}
   {{- with .Values.hubble.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}