From 62bc4944ee5e1dd73a0556147e3f68de676fd5c1 Mon Sep 17 00:00:00 2001
From: michaelhtm <98621731+michaelhtm@users.noreply.github.com>
Date: Mon, 26 Jan 2026 13:49:52 -0800
Subject: [PATCH] add cluster role/rolebinding for iamroleselector on namespace
 scope

IAMRoleSelector is a cluster scoped resource. When a controller is
configured as namespace scoped, this change adds a cluster
role/rolebinding that gives the controller access to iamroleselector and
namespaces.
---
 templates/helm/templates/caches-role.yaml.tpl | 15 ++++++++++++++-
 templates/pkg/resource/registry.go.tpl        |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/templates/helm/templates/caches-role.yaml.tpl b/templates/helm/templates/caches-role.yaml.tpl
index 49dbe8a4..44647d7c 100644
--- a/templates/helm/templates/caches-role.yaml.tpl
+++ b/templates/helm/templates/caches-role.yaml.tpl
@@ -1,3 +1,4 @@
+{{ VarIncludeTemplate "featuregates" "feature-gates" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -10,6 +11,16 @@ metadata:
     k8s-app: {{ IncludeTemplate "app.name" }}
     helm.sh/chart: {{ IncludeTemplate "chart.name-version" }}
 rules:
+{{ "{{ if contains \"IAMRoleSelector=true\" $featuregates }}" }}
+- apiGroups:
+  - services.k8s.aws
+  resources:
+  - iamroleselectors
+  verbs:
+  - get
+  - list
+  - watch
+{{ "{{ end }}" }}
 - apiGroups:
   - ""
   resources:
@@ -19,6 +30,7 @@ rules:
   - list
   - watch
 ---
+{{ "{{ if eq .Values.enableCARM true }}" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -39,4 +51,5 @@ rules:
   verbs:
   - get
   - list
-  - watch
\ No newline at end of file
+  - watch
+{{ "{{ end }}" }}
\ No newline at end of file
diff --git a/templates/pkg/resource/registry.go.tpl b/templates/pkg/resource/registry.go.tpl
index 57eae938..a0bee45d 100644
--- a/templates/pkg/resource/registry.go.tpl
+++ b/templates/pkg/resource/registry.go.tpl
@@ -7,7 +7,7 @@ import (
 	acktypes "github.com/aws-controllers-k8s/runtime/pkg/types"
 )
 
-// +kubebuilder:rbac:groups=services.k8s.aws,resources=iamroleselectors,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=services.k8s.aws,resources=iamroleselectors,verbs=get;list;watch
 // +kubebuilder:rbac:groups=services.k8s.aws,resources=iamroleselectors/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=services.k8s.aws,resources=fieldexports,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=services.k8s.aws,resources=fieldexports/status,verbs=get;update;patch