From 714fbbf22a820f0df8c38c0f5fde044cec790f59 Mon Sep 17 00:00:00 2001
From: jjaruszewski <jjaruszewski@man.poznan.pl>
Date: Wed, 28 Jan 2026 19:25:16 +0100
Subject: [PATCH 1/3] Fix least privilege roles getting trimmed when
 autogenerate is disabled

Signed-off-by: jjaruszewski <jjaruszewski@man.poznan.pl>
---
 charts/core/templates/role.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml
index 661dfa8c..9f7dedc6 100644
--- a/charts/core/templates/role.yaml
+++ b/charts/core/templates/role.yaml
@@ -50,6 +50,7 @@ rules:
   - create
   - get
   - update
+{{- end }}
 ---
 {{- if $oc3 }}
 apiVersion: authorization.openshift.io/v1
@@ -153,4 +154,3 @@ rules:
   - create
   - update
   - patch
-{{- end }}

From 6f6ef93de44e6b646ba2073dda7b03a5cf3b7cce Mon Sep 17 00:00:00 2001
From: jjaruszewski <jjaruszewski@man.poznan.pl>
Date: Wed, 28 Jan 2026 19:25:41 +0100
Subject: [PATCH 2/3] Fix manager talking to the wrong service

Signed-off-by: jjaruszewski <jjaruszewski@man.poznan.pl>
---
 charts/core/templates/manager-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/core/templates/manager-deployment.yaml b/charts/core/templates/manager-deployment.yaml
index 34b70cb7..0a6cac70 100644
--- a/charts/core/templates/manager-deployment.yaml
+++ b/charts/core/templates/manager-deployment.yaml
@@ -96,7 +96,7 @@ spec:
             - name: MANAGER_SERVER_PORT
               value: "{{ .Values.manager.svc.mgrServerPort}}"
             - name: CTRL_SERVER_IP
-              value: neuvector-svc-controller.{{ .Release.Namespace }}
+              value: neuvector-svc-controller-api.{{ .Release.Namespace }}
             {{- if not .Values.manager.env.ssl }}
             - name: MANAGER_SSL
               value: "off"

From b7794f4c41b88e54e5beef69c369d4ba3f405a1e Mon Sep 17 00:00:00 2001
From: jjaruszewski <jjaruszewski@man.poznan.pl>
Date: Wed, 28 Jan 2026 19:25:59 +0100
Subject: [PATCH 3/3] Fix ArgoCD inconsistencies

Signed-off-by: jjaruszewski <jjaruszewski@man.poznan.pl>
---
 charts/core/templates/rolebinding-least.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml
index b9bc8b06..ffaeeb25 100644
--- a/charts/core/templates/rolebinding-least.yaml
+++ b/charts/core/templates/rolebinding-least.yaml
@@ -223,6 +223,9 @@ subjects:
 
 ---
 
+kind: SecurityContextConstraints
+metadata:
+  name: neuvector-scc-controller
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
@@ -236,9 +239,6 @@ defaultAddCapabilities: null
 fsGroup:
   type: RunAsAny
 groups: []
-kind: SecurityContextConstraints
-metadata:
-  name: neuvector-scc-controller
 priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
@@ -251,11 +251,11 @@ supplementalGroups:
   type: RunAsAny
 users: []
 volumes:
+- azureFile
 - configMap
 - downwardAPI
 - emptyDir
 - persistentVolumeClaim
-- azureFile
 - projected
 - secret