From 165a126ebbea36136e43a52d368c56c72813e151 Mon Sep 17 00:00:00 2001
From: Sebastian Bernauer <sebastian.bernauer@stackable.de>
Date: Mon, 21 Jul 2025 10:47:47 +0200
Subject: [PATCH] fix: Add RBAC permission to patch events (#660)

* fix: Add RBAC permission to patch events

* changelog

* changelog
---
 CHANGELOG.md                                      | 3 +++
 deploy/helm/airflow-operator/templates/roles.yaml | 1 +
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2399f67f..482c5fba 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,8 @@
   - The default Kubernetes cluster domain name is now fetched from the kubelet API unless explicitly configured.
   - This requires operators to have the RBAC permission to get nodes/proxy in the apiGroup "". The helm-chart takes care of this.
   - The CLI argument `--kubernetes-node-name` or env variable `KUBERNETES_NODE_NAME` needs to be set. The helm-chart takes care of this.
+- The operator helm-chart now grants RBAC `patch` permissions on `events.k8s.io/events`,
+  so events can be aggregated (e.g. "error happened 10 times over the last 5 minutes") ([#660]).
 
 ### Fixed
 
@@ -68,6 +70,7 @@
 [#649]: https://github.com/stackabletech/airflow-operator/pull/649
 [#651]: https://github.com/stackabletech/airflow-operator/pull/651
 [#656]: https://github.com/stackabletech/airflow-operator/pull/656
+[#660]: https://github.com/stackabletech/airflow-operator/pull/660
 
 ## [25.3.0] - 2025-03-21
 
diff --git a/deploy/helm/airflow-operator/templates/roles.yaml b/deploy/helm/airflow-operator/templates/roles.yaml
index a4c532c4..4c2246e5 100644
--- a/deploy/helm/airflow-operator/templates/roles.yaml
+++ b/deploy/helm/airflow-operator/templates/roles.yaml
@@ -180,6 +180,7 @@ rules:
       - events
     verbs:
       - create
+      - patch
 {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
   - apiGroups:
       - security.openshift.io