From 678de2604d26bf3503eb86fa20dd80060dc856a8 Mon Sep 17 00:00:00 2001
From: Wei Liu <liuweixa@redhat.com>
Date: Mon, 27 Oct 2025 21:11:45 +0800
Subject: [PATCH] allow approve certificates that are signed by grpc (#1225)

Signed-off-by: Wei Liu <liuweixa@redhat.com>
---
 manifests/cluster-manager/hub/registration/clusterrole.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/manifests/cluster-manager/hub/registration/clusterrole.yaml b/manifests/cluster-manager/hub/registration/clusterrole.yaml
index dcf501b0e..7f9729442 100644
--- a/manifests/cluster-manager/hub/registration/clusterrole.yaml
+++ b/manifests/cluster-manager/hub/registration/clusterrole.yaml
@@ -134,8 +134,9 @@ rules:
   verbs: ["update", "patch"]
 {{end}}
 {{if .GRPCAuthEnabled}}
+# Allow hub to approve/sign certificates that are signed by grpc
 - apiGroups: ["certificates.k8s.io"]
   resources: ["signers"]
   resourceNames: ["open-cluster-management.io/grpc"]
-  verbs: ["sign"]
+  verbs: ["approve", "sign"]
 {{end}}