From 1070ca1464e13befc51e3a82e1b127ab1109f578 Mon Sep 17 00:00:00 2001
From: shujaat hasan <shujaathasan@shujaats-MacBook-Pro.local>
Date: Tue, 2 Jun 2026 16:20:17 +0200
Subject: [PATCH] fix(rbac): grant `get` on configmaps/secrets to jobs-manager
 SA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ingestion endpoint's orphan-resource verify path (client-runtime#52)
and missing-row self-heal (client-runtime#54) read the existing
ConfigMap/Secret on a create-409 to confirm content matches before
reuse. The Role/ClusterRole only granted `create`, so those reads
returned Forbidden and the endpoint 500'd instead of the intended
409/200-replay — verified live on the dev cluster.

Add `get` alongside `create` in both the ClusterRole (clusterScope:
true) and namespace Role (clusterScope: false) branches.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 client/templates/rbac.yaml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/client/templates/rbac.yaml b/client/templates/rbac.yaml
index 3982a5c..9f38644 100644
--- a/client/templates/rbac.yaml
+++ b/client/templates/rbac.yaml
@@ -44,7 +44,12 @@ rules:
     verbs: ["create"]
   - apiGroups: [""]
     resources: ["configmaps", "secrets"]
-    verbs: ["create"]
+    # `get` is required by jobs-manager's orphan-resource verify path
+    # (client-runtime#52) and the missing-row self-heal (client-runtime#54):
+    # on a create-409 it reads the existing ConfigMap/Secret to confirm the
+    # content matches before reusing it. Without `get`, those reads return
+    # Forbidden and the endpoint 500s instead of the intended 409/replay.
+    verbs: ["create", "get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -95,7 +100,12 @@ rules:
   # to authenticate ingestion calls — see the ClusterRole branch above.
   - apiGroups: [""]
     resources: ["configmaps", "secrets"]
-    verbs: ["create"]
+    # `get` is required by jobs-manager's orphan-resource verify path
+    # (client-runtime#52) and the missing-row self-heal (client-runtime#54):
+    # on a create-409 it reads the existing ConfigMap/Secret to confirm the
+    # content matches before reusing it. Without `get`, those reads return
+    # Forbidden and the endpoint 500s instead of the intended 409/replay.
+    verbs: ["create", "get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding