use pre-existing role when syncing cinder-netapp-config

skrobul · skrobul · commit 3a9b1f25e7fa · 2025-08-18T18:31:24.000+01:00
diff --git a/components/argo-events/secret-netapp.yaml b/components/argo-events/secret-netapp.yaml
@@ -1,26 +1,4 @@
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: eso-cross-namespace-secret-reader
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: eso-openstack-cross-namespace
-subjects:
-- kind: ServiceAccount
-  name: eso-openstack
-  namespace: openstack
-roleRef:
-  kind: ClusterRole
-  name: eso-cross-namespace-secret-reader
-  apiGroup: rbac.authorization.k8s.io
----
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
@@ -37,7 +15,3 @@ spec:
   dataFrom:
     - extract:
         key: cinder-netapp-config
-        # necessary to avoid argoproj/argo-cd#13004
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
diff --git a/components/openstack/templates/secretstore-openstack.yaml.tpl b/components/openstack/templates/secretstore-openstack.yaml.tpl
@@ -27,6 +27,7 @@ rules:
   resourceNames:
   - svc-acct-argoworkflow
   - svc-acct-netapp
+  - cinder-netapp-config
 - apiGroups:
   - authorization.k8s.io
   resources:
