diff --git a/templates/serviceaccount.yaml b/templates/serviceaccount.yaml
index e9ae773..b10066a 100644
--- a/templates/serviceaccount.yaml
+++ b/templates/serviceaccount.yaml
@@ -29,6 +29,38 @@ rules:
   - apiGroups: ['metrics.k8s.io']
     resources: ['nodes']
     verbs: ['get', 'list']
+  # Read ArgoCD's cluster Secrets (the registered customer-cluster
+  # creds) so Tower can build cross-cluster API clients for capacity
+  # queries. Scoped to a single Role+RoleBinding in the argocd ns —
+  # cluster-scoped Secret access would be over-broad.
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-tower-cluster-secrets
+  namespace: argocd
+  labels:
+    {{- include "tower.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ['']
+    resources: ['secrets']
+    verbs: ['get', 'list']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-tower-cluster-secrets
+  namespace: argocd
+  labels:
+    {{- include "tower.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: tower
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-tower-cluster-secrets
+  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/values.yaml b/values.yaml
index 3add7ca..3fd8c08 100644
--- a/values.yaml
+++ b/values.yaml
@@ -4,7 +4,7 @@ backend:
   enabled: true
   image:
     repository: docker.io/odoosky/tower
-    tag: "0.9.0"
+    tag: "0.9.1"
     pullPolicy: IfNotPresent  # IfNotPresent because the image is in
                               # containerd's k8s.io namespace already
                               # (lab1 single-server). Replace with