From 38cccf89bc2543280e20c21e83315b418e0d2513 Mon Sep 17 00:00:00 2001
From: git_admin <m@havari.me>
Date: Sun, 26 Apr 2026 20:49:08 +0300
Subject: [PATCH] =?UTF-8?q?tower=200.9.1=20=E2=80=94=20read=20cluster=20Se?=
 =?UTF-8?q?cret=20directly=20for=20capacity=20(RBAC=20scoped=20to=20argocd?=
 =?UTF-8?q?=20ns)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 templates/serviceaccount.yaml | 32 ++++++++++++++++++++++++++++++++
 values.yaml                   |  2 +-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/templates/serviceaccount.yaml b/templates/serviceaccount.yaml
index e9ae773..b10066a 100644
--- a/templates/serviceaccount.yaml
+++ b/templates/serviceaccount.yaml
@@ -29,6 +29,38 @@ rules:
   - apiGroups: ['metrics.k8s.io']
     resources: ['nodes']
     verbs: ['get', 'list']
+  # Read ArgoCD's cluster Secrets (the registered customer-cluster
+  # creds) so Tower can build cross-cluster API clients for capacity
+  # queries. Scoped to a single Role+RoleBinding in the argocd ns —
+  # cluster-scoped Secret access would be over-broad.
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-tower-cluster-secrets
+  namespace: argocd
+  labels:
+    {{- include "tower.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ['']
+    resources: ['secrets']
+    verbs: ['get', 'list']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-tower-cluster-secrets
+  namespace: argocd
+  labels:
+    {{- include "tower.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: tower
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-tower-cluster-secrets
+  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/values.yaml b/values.yaml
index 3add7ca..3fd8c08 100644
--- a/values.yaml
+++ b/values.yaml
@@ -4,7 +4,7 @@ backend:
   enabled: true
   image:
     repository: docker.io/odoosky/tower
-    tag: "0.9.0"
+    tag: "0.9.1"
     pullPolicy: IfNotPresent  # IfNotPresent because the image is in
                               # containerd's k8s.io namespace already
                               # (lab1 single-server). Replace with