From 92008a07b220ff8c50c577ba69b6916fc0fcee03 Mon Sep 17 00:00:00 2001
From: Noam Gal <noam.gal@octopus.com>
Date: Wed, 26 Nov 2025 17:24:39 +0200
Subject: [PATCH 1/3] fix: remove nonResourceURLs from RBAC rules for event
 reporters

Eliminate unnecessary nonResourceURLs permissions from the RBAC
configuration of both cluster and runtime event reporters to enhance
security and adhere to least privilege principles.
---
 .../event-reporters/cluster-event-reporter/rbac.yaml          | 4 ----
 .../event-reporters/runtime-event-reporter/rbac.yaml          | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml b/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml
index 4ab10d33..2b06f30b 100644
--- a/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml
+++ b/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/rbac.yaml
@@ -23,10 +23,6 @@ rules:
     - '*'
     verbs:
     - '*'
-  - nonResourceURLs:
-    - '*'
-    verbs:
-    - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: {{ $context.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}
diff --git a/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml b/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml
index a11a1e14..6cef61e9 100644
--- a/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml
+++ b/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/rbac.yaml
@@ -23,10 +23,6 @@ rules:
     - '*'
     verbs:
     - '*'
-  - nonResourceURLs:
-    - '*'
-    verbs:
-    - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: {{ $context.Values.global.runtime.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }}

From 81b6e81f41fcc8188003e40107b344cdbe4d0106 Mon Sep 17 00:00:00 2001
From: Noam Gal <noam.gal@octopus.com>
Date: Thu, 27 Nov 2025 17:41:37 +0200
Subject: [PATCH 2/3] fix: add IS_NAMESPACED_RUNTIME variable to environment
 variables for event reporters

This change introduces the IS_NAMESPACED_RUNTIME variable in the environment configuration for both cluster and runtime event reporters. This variable is set to the value of .Values.global.runtime.singleNamespace, ensuring that the runtime context is correctly reflected in the environment settings.
---
 .../templates/event-reporters/cluster-event-reporter/_env.yaml   | 1 +
 .../templates/event-reporters/runtime-event-reporter/_env.yaml   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/_env.yaml b/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/_env.yaml
index d8e1e2ec..0cc3e23a 100644
--- a/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/_env.yaml
+++ b/charts/gitops-runtime/templates/event-reporters/cluster-event-reporter/_env.yaml
@@ -2,6 +2,7 @@
 HTTP_PROXY: {{ .Values.global.httpProxy | squote}}
 HTTPS_PROXY: {{ .Values.global.httpsProxy | squote }}
 NO_PROXY: {{ .Values.global.noProxy | squote }}
+IS_NAMESPACED_RUNTIME: {{ .Values.global.runtime.singleNamespace }}
 
 {{- if and (eq (index .Values "global" "integrations" "argo-cd" "server" "auth" "type") "token") }}
   {{- if not (index .Values "global" "integrations" "argo-cd" "server" "auth" "token") }}
diff --git a/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/_env.yaml b/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/_env.yaml
index 02d0cefa..e6063059 100644
--- a/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/_env.yaml
+++ b/charts/gitops-runtime/templates/event-reporters/runtime-event-reporter/_env.yaml
@@ -2,6 +2,7 @@
 HTTP_PROXY: {{ .Values.global.httpProxy | squote}}
 HTTPS_PROXY: {{ .Values.global.httpsProxy | squote }}
 NO_PROXY: {{ .Values.global.noProxy | squote }}
+IS_NAMESPACED_RUNTIME: {{ .Values.global.runtime.singleNamespace }}
 
 {{- if and (eq (index .Values "global" "integrations" "argo-cd" "server" "auth" "type") "token") }}
   {{- if not (index .Values "global" "integrations" "argo-cd" "server" "auth" "token") }}

From 40db9d0a501f01a0ee1570055372b04882a7c626 Mon Sep 17 00:00:00 2001
From: Noam Gal <noam.gal@octopus.com>
Date: Sun, 30 Nov 2025 14:21:22 +0200
Subject: [PATCH 3/3] update event-reporters image to `e6944d6`

---
 charts/gitops-runtime/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml
index 316b89fd..abde29d9 100644
--- a/charts/gitops-runtime/values.yaml
+++ b/charts/gitops-runtime/values.yaml
@@ -143,7 +143,7 @@ global:
     image:
       registry: quay.io
       repository: codefresh/cf-argocd-extras
-      tag: 2cb6f85
+      tag: e6944d6
     nodeSelector: {}
     tolerations: []
     affinity: {}