From c64ee7025c11ed4b0e484a4c37c8990bf47dafb6 Mon Sep 17 00:00:00 2001
From: Yaytay <jim-github@spudsoft.co.uk>
Date: Wed, 10 May 2023 12:23:04 +0100
Subject: [PATCH] Document need for access to namespaces with
 dashboardNamespaceSelector

---
 deploy/cluster_roles/README.md                | 12 +++++-
 ...e_grafana_operator_namespace_selector.yaml | 40 +++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 deploy/cluster_roles/cluster_role_grafana_operator_namespace_selector.yaml

diff --git a/deploy/cluster_roles/README.md b/deploy/cluster_roles/README.md
index ae56399df..ac7a4e1e0 100644
--- a/deploy/cluster_roles/README.md
+++ b/deploy/cluster_roles/README.md
@@ -10,12 +10,22 @@ If specifying the `--scan-all`, `--namespaces`, `DASHBOARD_NAMESPACES_ALL="true"
 then the ServiceAccount that Grafana is running as needs view access to the GrafanaDashboard resources in other namespaces.
 To grant those permissions the following ClusterRole and ClusterRoleBinding need to be deployed.
 
-Create the `ClusterRole`
+When using the `dashboardNamespaceSelector` the ServiceAccount also needs to be able to access other namespaces in the cluster
+and you should use the second example below.
+Note that these two examples both create a ClusteRole called `grafana-operator` and only one of them should be used.
+
+Create the `ClusterRole` without access to namesapces
 
 ```shell
 kubectl create -f deploy/cluster_roles/cluster_role_grafana_operator.yaml
 ```
 
+Create the `ClusterRole` with access to namespaces
+
+```shell
+kubectl create -f deploy/cluster_roles/cluster_role_grafana_operator_namespace_selector.yaml
+```
+
 Create the `ClusterRoleBinding` for the `ServiceAccount/grafana-operator` in the given namespace
 
 ```shell
diff --git a/deploy/cluster_roles/cluster_role_grafana_operator_namespace_selector.yaml b/deploy/cluster_roles/cluster_role_grafana_operator_namespace_selector.yaml
new file mode 100644
index 000000000..08b4a7aa8
--- /dev/null
+++ b/deploy/cluster_roles/cluster_role_grafana_operator_namespace_selector.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: grafana-operator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - delete
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - integreatly.org
+    resources:
+      - grafanadashboards
+      - grafanadatasources
+      - grafanadatasources/status
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - deletecollection
+      - watch