From b99dee70dde0fd5098d621d09938a7561ab6472a Mon Sep 17 00:00:00 2001
From: York Chen <ychen@d2iq.com>
Date: Mon, 25 Sep 2023 15:36:43 -0400
Subject: [PATCH 1/3] fix: use dedicated clusterrole for kcore hooks

---
 .../post_install_kommandercore_hook.yaml      | 22 ++++++++++++--
 .../pre_upgrade_kommandercore_hook.yaml       | 29 ++++++++++++++++++-
 2 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
index 7964d197f..db4055b06 100644
--- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
+++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
@@ -10,6 +10,25 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-installation
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+  - apiGroups:
+      - dkp.d2iq.io
+    resources:
+      - kommandercores
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Chart.Name }}-installation
@@ -20,12 +39,11 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: {{ .Chart.Name }}-installation
 subjects:
   - kind: ServiceAccount
     name: {{ .Chart.Name }}-installation
     namespace: {{ .Release.Namespace }}
-
 ---
 apiVersion: v1
 kind: ConfigMap
diff --git a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
index 417e66e11..ebb9e8cec 100644
--- a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
+++ b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
@@ -11,6 +11,33 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-pre-upgrade
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+  - apiGroups:
+      - dkp.d2iq.io
+      - helm.toolkit.fluxcd.io
+    resources:
+      - kommandercores
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - dkp.d2iq.io
+    resources:
+      - kommandercores
+    verbs:
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Chart.Name }}-pre-upgrade
@@ -21,7 +48,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: {{ .Chart.Name }}-pre-upgrade
 subjects:
   - kind: ServiceAccount
     name: {{ .Chart.Name }}-pre-upgrade

From e9e95e1af9b584077dfa36ba9f96dc2c44e7f822 Mon Sep 17 00:00:00 2001
From: York Chen <ychen@d2iq.com>
Date: Mon, 25 Sep 2023 16:08:21 -0400
Subject: [PATCH 2/3] chore: add missing kommandercores/status

---
 .../templates/pre_upgrade_kommandercore_hook.yaml                | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
index ebb9e8cec..6b3ba83e8 100644
--- a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
+++ b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
@@ -33,6 +33,7 @@ rules:
       - dkp.d2iq.io
     resources:
       - kommandercores
+      - kommandercores/status
     verbs:
       - patch
       - update

From e68699f8b829d3f558ca1c1b18ebf656117f18e3 Mon Sep 17 00:00:00 2001
From: York Chen <ychen@d2iq.com>
Date: Wed, 4 Oct 2023 17:31:42 -0400
Subject: [PATCH 3/3] chore: add patch & update for post install job

---
 .../templates/post_install_kommandercore_hook.yaml              | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
index db4055b06..0308741e0 100644
--- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
+++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
@@ -27,6 +27,8 @@ rules:
       - list
       - watch
       - create
+      - patch
+      - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding