From dd712038051298dcd51567504bb3da9c22d4cded Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Thu, 16 Apr 2026 13:49:15 +0200
Subject: [PATCH 1/2] fix(rbac): Restore listeners/finalizers update permission

Without the `listeners/finalizers` `update`  rule, the listener operator is unable to set `metadata.ownerReferences[].blockOwnerDeletion` on the Service (or other) resource.
---
 deploy/helm/listener-operator/templates/roles.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/deploy/helm/listener-operator/templates/roles.yaml b/deploy/helm/listener-operator/templates/roles.yaml
index d10f279..2931851 100644
--- a/deploy/helm/listener-operator/templates/roles.yaml
+++ b/deploy/helm/listener-operator/templates/roles.yaml
@@ -175,6 +175,14 @@ rules:
       - listeners/status
     verbs:
       - patch
+  # Required by Kubernetes to allow setting blockOwnerDeletion on resources (e.g. Services)
+  # owned by a Listener.
+  - apiGroups:
+      - listeners.stackable.tech
+    resources:
+      - listeners/finalizers
+    verbs:
+      - update
   # PodListeners record the resolved listener addresses for each volume mounted in a Pod.
   # Created by the CSI node driver when a Pod first mounts a Listener volume, then patched
   # to add entries for additional volumes.

From b4538eaf1869a2393bf6b357783638e1a3b71916 Mon Sep 17 00:00:00 2001
From: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
Date: Thu, 16 Apr 2026 14:01:31 +0200
Subject: [PATCH 2/2] Update description

Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
---
 deploy/helm/listener-operator/templates/roles.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/deploy/helm/listener-operator/templates/roles.yaml b/deploy/helm/listener-operator/templates/roles.yaml
index 2931851..23aee31 100644
--- a/deploy/helm/listener-operator/templates/roles.yaml
+++ b/deploy/helm/listener-operator/templates/roles.yaml
@@ -176,7 +176,8 @@ rules:
     verbs:
       - patch
   # Required by Kubernetes to allow setting blockOwnerDeletion on resources (e.g. Services)
-  # owned by a Listener.
+  # owned by a Listener. This is needed when the OwnerReferencesPermissionEnforcement admission
+  # controller is enabled (which is by default in OpenShift)
   - apiGroups:
       - listeners.stackable.tech
     resources: