Problem
The Helm chart unconditionally grants needed (AFAIK) cluster-wide read access to secrets, and should be replaced with namespaced RBAC:
https://github.com/weaveworks/weave-gitops/blob/main/charts/gitops-server/templates/role.yaml#L18-L28
Would prevent read access cluster-wide.
Solution
Create a new Role in the namespace running ww-gitops with the secret read permissions and a role binding granting the new role to the ww-gitops SA. Remove access to secrets from the cluster role.
Additional context
Problem
The Helm chart unconditionally grants needed (AFAIK) cluster-wide read access to secrets, and should be replaced with namespaced RBAC:
https://github.com/weaveworks/weave-gitops/blob/main/charts/gitops-server/templates/role.yaml#L18-L28
Would prevent read access cluster-wide.
Solution
Create a new Role in the namespace running ww-gitops with the secret read permissions and a role binding granting the new role to the ww-gitops SA. Remove access to secrets from the cluster role.
Additional context