chore: Split the roles.yaml into separate files for clusterrole-operator.yaml and clusterrole-product.yaml

NickLarsenNZ · NickLarsenNZ · commit fc97b3c9969e · 2026-04-09T08:17:30.000+02:00
diff --git a/deploy/helm/zookeeper-operator/templates/clusterrole-operator.yaml b/deploy/helm/zookeeper-operator/templates/clusterrole-operator.yaml
@@ -158,22 +158,3 @@ rules:
       - {{ include "operator.name" . }}znodes/status
     verbs:
       - patch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
-  # Required on OpenShift to allow ZooKeeper pods to run as a non-root user.
-  - apiGroups:
-      - security.openshift.io
-    resources:
-      - securitycontextconstraints
-    resourceNames:
-      - nonroot-v2
-    verbs:
-      - use
-{{ end }}
diff --git a/deploy/helm/zookeeper-operator/templates/clusterrole-product.yaml b/deploy/helm/zookeeper-operator/templates/clusterrole-product.yaml
@@ -0,0 +1,21 @@
+---
+# Product ClusterRole: bound (via per ZookeeperCluster RoleBinding) to the ServiceAccount that
+# ZooKeeper workload pods run as.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow ZooKeeper pods to run as a non-root user.
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - nonroot-v2
+    verbs:
+      - use
+{{ end }}
