From 493c2a0b8fb9a8b91442aa980393d493824f8ea4 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Tue, 24 Feb 2026 15:20:48 +0000
Subject: [PATCH] add explicit permissions for ESO resources

I was seeing issues in e2e tests in a separate PR with
permissions for ESO resources. I'd thought that the
way ESO was configured with the viewer role would mean
the permissions were fine, but maybe it's best to be
explicit anyway

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 deploy/charts/disco-agent/templates/rbac.yaml | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/deploy/charts/disco-agent/templates/rbac.yaml b/deploy/charts/disco-agent/templates/rbac.yaml
index cc8ca8aa..92bd1349 100644
--- a/deploy/charts/disco-agent/templates/rbac.yaml
+++ b/deploy/charts/disco-agent/templates/rbac.yaml
@@ -110,3 +110,33 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "disco-agent.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "disco-agent.fullname" . }}-eso-reader
+  labels:
+    {{- include "disco-agent.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["external-secrets.io"]
+    resources:
+    - externalsecrets
+    - clusterexternalsecrets
+    - secretstores
+    - clustersecretstores
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "disco-agent.fullname" . }}-eso-reader
+  labels:
+    {{- include "disco-agent.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "disco-agent.fullname" . }}-eso-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "disco-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}