From 7b4df7a625fa6891bcbd53ae1807b42c49666328 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Fri, 15 Mar 2024 23:20:11 -0700
Subject: [PATCH 1/3] injector: add get for nodes in clusterrole

Required for operator-lib leader logic
---
 templates/injector-clusterrole.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml
index d5682dd76..df603f250 100644
--- a/templates/injector-clusterrole.yaml
+++ b/templates/injector-clusterrole.yaml
@@ -21,4 +21,10 @@ rules:
     - "list"
     - "watch"
     - "patch"
+{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs:
+    - "get"
+{{ end }}
 {{ end }}

From 32b91fee4f01ddc45be8839e8279bc92ecbd0431 Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Mon, 18 Mar 2024 11:36:43 -0700
Subject: [PATCH 2/3] tests for nodes permissions

---
 test/unit/injector-clusterrole.bats | 30 +++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/test/unit/injector-clusterrole.bats b/test/unit/injector-clusterrole.bats
index 7c25f39dc..0956cceff 100755
--- a/test/unit/injector-clusterrole.bats
+++ b/test/unit/injector-clusterrole.bats
@@ -20,3 +20,33 @@ load _helpers
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
+
+@test "injector/ClusterRole: no nodes permissions when replicas=1" {
+  cd `chart_dir`
+  local rules=$(helm template \
+      --show-only templates/injector-clusterrole.yaml  \
+      --set 'injector.replicas=1' \
+      . | tee /dev/stderr |
+      yq '.rules' | tee /dev/stderr)
+  rules_length=$(echo "${rules}" | yq 'length')
+  [ "${rules_length}" = "1" ]
+  resources_length=$(echo "${rules}" | yq '.[0].resources | length')
+  [ "${resources_length}" = "1" ]
+  resource=$(echo "${rules}" | yq -r '.[0].resources[0]')
+  [ "${resource}" = "mutatingwebhookconfigurations" ]
+}
+
+@test "injector/ClusterRole: nodes permissions when replicas=2" {
+  cd `chart_dir`
+  local rules=$(helm template \
+      --show-only templates/injector-clusterrole.yaml  \
+      --set 'injector.replicas=2' \
+      . | tee /dev/stderr |
+      yq '.rules' | tee /dev/stderr)
+  rules_length=$(echo "${rules}" | yq 'length')
+  [ "${rules_length}" = "2" ]
+  resources_length=$(echo "${rules}" | yq '.[1].resources | length')
+  [ "${resources_length}" = "1" ]
+  resource=$(echo "${rules}" | yq -r '.[1].resources[0]')
+  [ "${resource}" = "nodes" ]
+}

From a0eff1883d1ec91618322df9c7f4b1d576788fdc Mon Sep 17 00:00:00 2001
From: Theron Voran <tvoran@users.noreply.github.com>
Date: Mon, 18 Mar 2024 16:18:09 -0700
Subject: [PATCH 3/3] changelog++

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0e0cb0af8..97d275037 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 ## Unreleased
 
+Bugs:
+* injector: add missing `get` `nodes` permission to ClusterRole [GH-1005](https://github.com/hashicorp/vault-helm/pull/1005)
+
 ## 0.27.0 (November 16, 2023)
 
 Changes: