From bc4a453dd204bd4c4482f0970603bd425110aa13 Mon Sep 17 00:00:00 2001
From: paul foster <pafoster@redhat.com>
Date: Mon, 16 Mar 2026 21:16:09 +1100
Subject: [PATCH] added acm spoke hub clusters

---
 charts/acm-operator/Chart.yaml                |  2 +-
 .../applicationset-controller-rbac.yaml       | 43 +++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/charts/acm-operator/Chart.yaml b/charts/acm-operator/Chart.yaml
index 5c60518..431123f 100644
--- a/charts/acm-operator/Chart.yaml
+++ b/charts/acm-operator/Chart.yaml
@@ -9,6 +9,6 @@ dependencies:
     version: 1.1.0
     repository: https://rh-mobb.github.io/validated-pattern-helm-charts/
 name: acm-operator
-version: 0.5.19
+version: 0.5.20
 apiVersion: v2
 description: Chart to deploy Red Hat Advanced Cluster Management (RHACM) with ArgoCD ApplicationSets for spoke cluster management
diff --git a/charts/acm-operator/templates/applicationset-controller-rbac.yaml b/charts/acm-operator/templates/applicationset-controller-rbac.yaml
index a99ad21..94001fa 100644
--- a/charts/acm-operator/templates/applicationset-controller-rbac.yaml
+++ b/charts/acm-operator/templates/applicationset-controller-rbac.yaml
@@ -1,3 +1,6 @@
+# The clusterDecisionResource generator in ApplicationSets requires the
+# ApplicationSet controller to read ACM PlacementDecisions. The GitOps
+# operator does not grant this by default.
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -15,6 +18,7 @@ rules:
   - list
   - watch
 ---
+# Bind to openshift-gitops ApplicationSet controller
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -30,6 +34,8 @@ subjects:
   name: cluster-gitops-applicationset-controller
   namespace: openshift-gitops
 ---
+# Bind to application-gitops ApplicationSet controller so team
+# ApplicationSets in *-team namespaces can use clusterDecisionResource
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -44,3 +50,40 @@ subjects:
 - kind: ServiceAccount
   name: application-gitops-applicationset-controller
   namespace: application-gitops
+---
+# When applicationSet.sourceNamespaces is set on the ArgoCD CR, the
+# ApplicationSet controller needs cluster-scoped read access to AppProjects
+# to validate project membership across namespaces. The OpenShift GitOps
+# operator does not add this to the controller's ClusterRole automatically.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: applicationset-appproject-reader
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - appprojects
+  verbs:
+  - get
+  - list
+  - watch
+---
+# Bind to application-gitops ApplicationSet controller which has
+# applicationSet.sourceNamespaces: ["*-team", "application-gitops"]
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: application-gitops-applicationset-appproject-reader
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: applicationset-appproject-reader
+subjects:
+- kind: ServiceAccount
+  name: application-gitops-applicationset-controller
+  namespace: application-gitops