From 8acf1f1528cb0e941b90666ee6d4c95acea9567d Mon Sep 17 00:00:00 2001
From: Robert Brennan <contact@rbren.io>
Date: Tue, 17 Oct 2023 16:34:32 -0400
Subject: [PATCH] [stable/insights-agent] fix rbac for opa (#1350)

* fix rbac for opa

* update version

---------

Co-authored-by: Andy Suderman <andy@fairwinds.com>
---
 stable/insights-agent/CHANGELOG.md            |  3 +++
 stable/insights-agent/Chart.yaml              |  2 +-
 stable/insights-agent/ci/test-values.yaml     | 26 +++++++++++++++++++
 stable/insights-agent/templates/opa/rbac.yaml |  2 +-
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/stable/insights-agent/CHANGELOG.md b/stable/insights-agent/CHANGELOG.md
index 2bdf6e7ea..5e1d280f2 100644
--- a/stable/insights-agent/CHANGELOG.md
+++ b/stable/insights-agent/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 2.24.3
+* Fix for adding additional rules for OPA via insights-admission
+
 ## 2.24.2
 * bump `pluto` to version 5.18
 
diff --git a/stable/insights-agent/Chart.yaml b/stable/insights-agent/Chart.yaml
index 06aec8382..f9eaa3bb2 100644
--- a/stable/insights-agent/Chart.yaml
+++ b/stable/insights-agent/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart to run the Fairwinds Insights agent
 name: insights-agent
-version: 2.24.2
+version: 2.24.3
 appVersion: 9.2.1
 kubeVersion: ">= 1.22.0-0"
 icon: https://raw.githubusercontent.com/FairwindsOps/charts/master/stable/insights-agent/icon.png
diff --git a/stable/insights-agent/ci/test-values.yaml b/stable/insights-agent/ci/test-values.yaml
index 21c9530fe..0dffd34c6 100644
--- a/stable/insights-agent/ci/test-values.yaml
+++ b/stable/insights-agent/ci/test-values.yaml
@@ -110,6 +110,32 @@ prometheus:
 admission:
   enabled: true
 
+insights-admission:
+  webhookConfig:
+    failurePolicy: Ignore
+    rules:
+    - apiGroups:
+      - ""
+      apiVersions:
+      - "v1"
+      operations:
+      - CREATE
+      - UPDATE
+      - DELETE
+      resources:
+      - namespaces
+      scope: Cluster
+    - apiGroups:
+      - apps
+      apiVersions:
+      - "v1"
+      operations:
+      - DELETE
+      resources:
+      - deployments
+      - statefulsets
+      scope: Cluster
+
 awscosts:
   enabled: false
   secretName: awscosts-secret
diff --git a/stable/insights-agent/templates/opa/rbac.yaml b/stable/insights-agent/templates/opa/rbac.yaml
index bfcb380fc..2b7b5c38e 100644
--- a/stable/insights-agent/templates/opa/rbac.yaml
+++ b/stable/insights-agent/templates/opa/rbac.yaml
@@ -87,8 +87,8 @@ metadata:
   name: {{ include "insights-agent.fullname" $ }}-opa-admission-targetresources
   labels:
     app: insights-agent
-{{- range $AdmissionValues.webhookConfig.rules }}
 rules:
+{{- range $AdmissionValues.webhookConfig.rules }}
 - apiGroups:
 {{ toYaml .apiGroups | indent 2 }}
   resources: