fix(rbac): add namespace to RoleBinding for watch namespace permissions

[ian-flores]

Summary

• Fixes RBAC permission errors where the operator couldn't watch resources in the posit-team namespace
• The RoleBinding was missing a namespace field, causing it to be created in posit-team-system instead of posit-team

Changes

• Add namespace: posit-team to kustomize source (config/rbac/role_binding.yaml)
• Add Makefile post-processing to template {{ .Values.watchNamespace }} in Helm chart (matching existing pattern for other fixes)

Test plan

• Deploy to test cluster and verify operator starts without RBAC errors
• Verify RoleBinding is created in posit-team namespace

[claude]

Claude finished @ian-flores's task —— View job

---

PR Review Complete

• Read review guidelines
• Get PR diff
• Review changes for RBAC/security concerns
• Submit review

Reviewed the RBAC namespace fix. The changes correctly address the issue where the RoleBinding was missing a namespace field, causing it to be created in the wrong namespace. The sed pattern in the Makefile properly scopes the replacement to only the RoleBinding block.

[claude]

Security Review: RBAC Changes

This PR correctly addresses a namespace targeting issue where the RoleBinding was missing a namespace, causing it to be created in the operator namespace (posit-team-system) instead of the watch namespace (posit-team).

What was reviewed:

• RBAC permissions are minimal (no new permissions added)
• Templates render correctly (verified sed pattern matches)
• Values have sensible defaults (watchNamespace: posit-team)

Analysis:

1. Kustomize source (config/rbac/role_binding.yaml): Adds explicit namespace: posit-team which removes the previous NOTE comment that mentioned relying on Pulumi to patch this.

2. Helm chart (dist/chart/templates/rbac/role_binding.yaml): Uses {{ .Values.watchNamespace }} making the namespace configurable, which is the correct approach.

3. Makefile sed pattern: The pattern /kind: RoleBinding/,/roleRef:/ correctly scopes the replacement to only the RoleBinding block, avoiding accidental changes to the ClusterRoleBinding in the same file.

Verification:

• The sed pattern will correctly transform namespace: posit-team to namespace: {{ .Values.watchNamespace }} in the generated Helm template
• The watchNamespace default value (posit-team) matches the hardcoded value in the kustomize source

LGTM - this is a clean fix that properly addresses the RBAC namespace issue.

[ian-flores]

Tested on ganso01-staging

Deployed adhoc image ghcr.io/posit-dev/team-operator:adhoc-fix-rbac-rolebinding-namespace-v1.4.1-4-g94a0e88

Verification

Check	Status
Operator pod	✅ Running (1/1)
RBAC errors	✅ None
All controllers started	✅ Site, Connect, Workbench, PackageManager, Chronicle, Flightdeck, PostgresDatabase
RoleBinding namespace	✅ posit-team (correct)

RoleBinding confirmed in correct namespace

$ kubectl get rolebinding -n posit-team team-operator-manager-rolebinding
NAME                                ROLE                              AGE
team-operator-manager-rolebinding   Role/team-operator-manager-role   2m

Operator logs (clean startup)

INFO    Starting Controller     {"controller": "connect", ...}
INFO    Starting Controller     {"controller": "workbench", ...}
INFO    Starting Controller     {"controller": "flightdeck", ...}
INFO    Starting Controller     {"controller": "postgresdatabase", ...}
...

No forbidden or RBAC errors observed.