From f58152404738f304bb09523ac0c2b9aa3304f894 Mon Sep 17 00:00:00 2001
From: Rowan Smith <rowan@coder.com>
Date: Thu, 30 Oct 2025 10:59:00 +1100
Subject: [PATCH 1/2] fix for workspacePerms=false

---
 .../testdata/namespace_rbac_coder.golden      | 43 -------------------
 helm/libcoder/templates/_rbac.yaml            |  6 ++-
 2 files changed, 4 insertions(+), 45 deletions(-)

diff --git a/helm/coder/tests/testdata/namespace_rbac_coder.golden b/helm/coder/tests/testdata/namespace_rbac_coder.golden
index 239eb73f8ee51..2687504879629 100644
--- a/helm/coder/tests/testdata/namespace_rbac_coder.golden
+++ b/helm/coder/tests/testdata/namespace_rbac_coder.golden
@@ -117,34 +117,6 @@ rules:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
-metadata:
-  name: coder-workspace-perms
-  namespace: test-namespace2
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    verbs:
-    - create
-    - delete
-    - deletecollection
-    - get
-    - list
-    - patch
-    - update
-    - watch
-  - apiGroups:
-    - networking.k8s.io
-    resources:
-    - ingresses
-    verbs:
-    - get
-    - list
----
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
   name: coder-workspace-perms
   namespace: test-namespace3
@@ -262,21 +234,6 @@ roleRef:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
-metadata:
-  name: "coder"
-  namespace: test-namespace2
-subjects:
-  - kind: ServiceAccount
-    name: "coder"
-    namespace: coder
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: coder-workspace-perms
----
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
 metadata:
   name: "coder"
   namespace: test-namespace3
diff --git a/helm/libcoder/templates/_rbac.yaml b/helm/libcoder/templates/_rbac.yaml
index 73ba2bd4e1394..633a8252e8a0f 100644
--- a/helm/libcoder/templates/_rbac.yaml
+++ b/helm/libcoder/templates/_rbac.yaml
@@ -1,7 +1,9 @@
 {{- define "libcoder.rbac.forNamespace" -}}
   {{- $nsPerms := ternary .workspacePerms .Top.Values.coder.serviceAccount.workspacePerms (hasKey . "workspacePerms") -}}
-  {{- $nsDeploy := ternary .enableDeployments .Top.Values.coder.serviceAccount.enableDeployments (hasKey . "enableDeployments") -}}
-  {{- $nsExtra := ternary .extraRules .Top.Values.coder.serviceAccount.extraRules (hasKey . "extraRules") -}}
+  {{- $nsDeployRaw := ternary .enableDeployments .Top.Values.coder.serviceAccount.enableDeployments (hasKey . "enableDeployments") -}}
+  {{- $nsExtraRaw := ternary .extraRules .Top.Values.coder.serviceAccount.extraRules (hasKey . "extraRules") -}}
+  {{- $nsDeploy := and $nsPerms $nsDeployRaw -}}
+  {{- $nsExtra := ternary $nsExtraRaw (list) $nsPerms -}}
 
   {{- if or $nsPerms (or $nsDeploy $nsExtra) }}
 ---

From e909a995d463d4d209994cf85123961acc842600 Mon Sep 17 00:00:00 2001
From: Rowan Smith <rowan@coder.com>
Date: Thu, 30 Oct 2025 11:59:39 +1100
Subject: [PATCH 2/2] fix test case

---
 .../tests/testdata/namespace_rbac.golden      | 43 -------------------
 1 file changed, 43 deletions(-)

diff --git a/helm/coder/tests/testdata/namespace_rbac.golden b/helm/coder/tests/testdata/namespace_rbac.golden
index 68650a02b3fb4..57a4ba3e2b214 100644
--- a/helm/coder/tests/testdata/namespace_rbac.golden
+++ b/helm/coder/tests/testdata/namespace_rbac.golden
@@ -117,34 +117,6 @@ rules:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
-metadata:
-  name: coder-workspace-perms
-  namespace: test-namespace2
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    verbs:
-    - create
-    - delete
-    - deletecollection
-    - get
-    - list
-    - patch
-    - update
-    - watch
-  - apiGroups:
-    - networking.k8s.io
-    resources:
-    - ingresses
-    verbs:
-    - get
-    - list
----
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
   name: coder-workspace-perms
   namespace: test-namespace3
@@ -262,21 +234,6 @@ roleRef:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
-metadata:
-  name: "coder"
-  namespace: test-namespace2
-subjects:
-  - kind: ServiceAccount
-    name: "coder"
-    namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: coder-workspace-perms
----
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
 metadata:
   name: "coder"
   namespace: test-namespace3