[SREP-2115] Fix RBAC error by adding Secrets to cache configuration (#416)

abyrne55 · claude · web-flow · commit a0fcbde31ead · 2025-10-21T19:33:28.000Z
* [SREP-2115] Fix RBAC error by adding Secrets to cache configuration This fixes the RBAC permission error: "failed to list *v1.Secret: secrets is forbidden: User 'system:serviceaccount:openshift-cloud-ingress-operator:cloud-ingress-operator' cannot list resource 'secrets' in API group '' at the cluster scope" Root cause: The operator accesses Secrets for cloud credentials (AWS/GCP) but Secrets were not explicitly configured in the controller-runtime cache. When a resource type is not in the cache's ByObject configuration, controller-runtime attempts to set up a cluster-wide watch/list. This fails because the operator only has namespace-scoped RBAC permissions for Secrets. Solution: Added corev1.Secret to the cache ByObject configuration with the same namespace restrictions as other resources. This ensures Secrets are only cached in the namespaces specified by WATCH_NAMESPACE, which includes openshift-cloud-ingress-operator where the credential secrets are stored. Fixes: SREP-2115 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Update boilerplate to latest version Ran 'make boilerplate-update' to sync with latest boilerplate changes: - Updated OWNERS_ALIASES (removed Dee-6777) - Updated boilerplate metadata and tracking 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
@@ -65,7 +65,6 @@ aliases:
     - feichashao
     - samanthajayasinghe
     - xiaoyu74
-    - Dee-6777
     - Tessg22
     - smarthall
   srep-infra-cicd:
diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit
@@ -1 +1 @@
-d7285a904eda6cf842ddff8c648dedb223934a75
+d34e59645cd877be62073b0df2ff91de2ea7659c
diff --git a/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES b/boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES
diff --git a/main.go b/main.go
@@ -128,6 +128,9 @@ func main() {
 				&corev1.Service{}: {
 					Namespaces: namespaces,
 				},
+				&corev1.Secret{}: {
+					Namespaces: namespaces,
+				},
 			},
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-d7285a904eda6cf842ddff8c648dedb223934a75`
	`1`	`+d34e59645cd877be62073b0df2ff91de2ea7659c`