From 123a26abb3a4194c840c381e8ecaa991cf482a39 Mon Sep 17 00:00:00 2001
From: Matt Brown <matthewbrown18@gmail.com>
Date: Sun, 24 Jan 2021 14:17:33 +0000
Subject: [PATCH] deploy, helm: enable secret watch in rbac

enables secret ''watch'' rbac permission for ceph-csi-rbd-provisioner role. Fixes 1841.

Signed-off-by: Matt Brown <matthewbrown18@gmail.com>
---
 charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml | 2 +-
 deploy/rbd/kubernetes/csi-provisioner-rbac.yaml            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml b/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
index 6f6adcd53..d4dde7631 100644
--- a/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
+++ b/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
@@ -12,7 +12,7 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["persistentvolumes"]
     verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
diff --git a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
index d06e71842..e45c3edca 100644
--- a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
+++ b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
@@ -15,7 +15,7 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["secrets"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["list", "watch", "create", "update", "patch"]