From 7db59bdd7e33d41d7315bb62d71313546b629ce3 Mon Sep 17 00:00:00 2001
From: paul foster <pafoster@redhat.com>
Date: Mon, 16 Mar 2026 22:03:04 +1100
Subject: [PATCH] added acm spoke hub clusters

---
 .../Chart.yaml                                |  2 +-
 .../applicationset-controller-role.yaml       | 54 +++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 charts/app-of-apps-acm-team-onboarding/templates/applicationset-controller-role.yaml

diff --git a/charts/app-of-apps-acm-team-onboarding/Chart.yaml b/charts/app-of-apps-acm-team-onboarding/Chart.yaml
index 2612913..ec19330 100644
--- a/charts/app-of-apps-acm-team-onboarding/Chart.yaml
+++ b/charts/app-of-apps-acm-team-onboarding/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: app-of-apps-acm-team-onboarding
 description: Chart to onboard teams on an ACM hub with AppProjects, RBAC, and placement infrastructure for spoke deployment via ApplicationSets
-version: 0.3.0
+version: 0.3.1
 home: https://rh-mobb.github.io/validated-pattern-helm-charts/
 maintainers:
   - name: rh-mobb
diff --git a/charts/app-of-apps-acm-team-onboarding/templates/applicationset-controller-role.yaml b/charts/app-of-apps-acm-team-onboarding/templates/applicationset-controller-role.yaml
new file mode 100644
index 0000000..3338544
--- /dev/null
+++ b/charts/app-of-apps-acm-team-onboarding/templates/applicationset-controller-role.yaml
@@ -0,0 +1,54 @@
+{{ range $app := .Values.applications }}
+{{ if $app.gitopsCreate }}
+---
+# The application-gitops ApplicationSet controller needs write access in team
+# namespaces to update ApplicationSet status and manage the Applications it
+# generates. The GitOps operator only grants these permissions in the
+# controller's home namespace (application-gitops), not in external
+# sourceNamespaces.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: applicationset-controller
+  namespace: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-team
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applicationsets/status
+    verbs:
+      - update
+      - patch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applicationsets/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applications
+    verbs:
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: applicationset-controller
+  namespace: {{ $app.apmnum }}-{{ $app.appserviceNumber }}-team
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: applicationset-controller
+subjects:
+  - kind: ServiceAccount
+    name: application-gitops-applicationset-controller
+    namespace: {{ $.Values.gitopsNamespace }}
+{{- end }}
+{{- end }}