From fe14d73673eb253ddd3bf681ef8b659539a20195 Mon Sep 17 00:00:00 2001
From: Alan Cha <Alan.cha1@ibm.com>
Date: Fri, 27 Mar 2026 15:31:39 -0400
Subject: [PATCH] fix(rbac): Add missing agentruntimes permissions to
 ClusterRole

AgentRuntimeReconciler has been deployed in production without the
necessary RBAC permissions, causing continuous permission errors in
operator logs.

## Problem

The operator's ServiceAccount cannot list/watch AgentRuntime CRDs:

```
agentruntimes.agent.kagenti.dev is forbidden: User
"system:serviceaccount:kagenti-operator-system:controller-manager"
cannot list resource "agentruntimes" in API group "agent.kagenti.dev"
at the cluster scope
```

This error repeats continuously with exponential backoff, filling logs
and preventing AgentRuntime reconciliation.

## Root Cause

1. AgentRuntimeReconciler is always registered (cmd/main.go:323-330)
2. Controller declares required RBAC in code annotations:
   ```go
   // +kubebuilder:rbac:groups=agent.kagenti.dev,resources=agentruntimes,verbs=get;list;watch;create;update;patch;delete
   // +kubebuilder:rbac:groups=agent.kagenti.dev,resources=agentruntimes/status,verbs=get;update;patch
   // +kubebuilder:rbac:groups=agent.kagenti.dev,resources=agentruntimes/finalizers,verbs=update
   ```
3. Helm chart ClusterRole template is missing these permissions

## Solution

Add agentruntimes permissions to charts/kagenti-operator/templates/rbac/role.yaml
matching the kubebuilder RBAC annotations in agentruntime_controller.go.

## Impact

- Fixes permission errors in operator logs
- Enables AgentRuntime controller to function correctly
- Allows per-workload identity/observability configuration

## Testing

Deployed operator with fix in kind cluster:
- Permission errors stopped immediately
- AgentRuntime controller can now list/watch CRDs
- No regressions in other controllers

Fixes a pre-existing bug affecting all deployments.

Signed-off-by: Alan Cha <Alan.cha1@ibm.com>
---
 .../kagenti-operator/templates/rbac/role.yaml | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/charts/kagenti-operator/templates/rbac/role.yaml b/charts/kagenti-operator/templates/rbac/role.yaml
index d04f23d..339c376 100755
--- a/charts/kagenti-operator/templates/rbac/role.yaml
+++ b/charts/kagenti-operator/templates/rbac/role.yaml
@@ -120,6 +120,32 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - agent.kagenti.dev
+  resources:
+  - agentruntimes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - agent.kagenti.dev
+  resources:
+  - agentruntimes/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - agent.kagenti.dev
+  resources:
+  - agentruntimes/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - networking.k8s.io
   resources: