[stable/sealed-secrets] role needs "list" privilege

[k0ffee]

Describe the bug
Sealed-secrets container v0.8.0 fails to start with a Go panic and ends up in CrashLoopBackOff.

Version of Helm and Kubernetes:

unix% helm version  
Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}

Kubernetes is 1.12.8-gke.10 on Google Kubernetes Engine.

Which chart:
stable/sealed-secrets

What happened:

unix% kubectl logs -n kube-system sealed-secrets-6c6cb78f9c-7bftq
2019/07/24 13:12:35 Starting sealed-secrets controller version: v0.8.0
2019/07/24 13:12:35 Searching for existing private keys
panic: secrets is forbidden: User "system:serviceaccount:kube-system:sealed-secrets" cannot list resource "secrets" in API group "" in the namespace "kube-system"

goroutine 1 [running]:
main.main()
        /home/travis/gopath/src/github.com/bitnami-labs/sealed-secrets/cmd/controller/main.go:218 +0x20a

What you expected to happen:

unix% kubectl logs -n kube-system sealed-secrets-6c6cb78f9c-xwj2w
2019/07/24 13:55:12 Starting sealed-secrets controller version: v0.8.0
2019/07/24 13:55:12 Searching for existing private keys
2019/07/24 13:55:16 New key written to kube-system/sealed-secrets-keyn8bcd
2019/07/24 13:55:16 Certificate is 
-----BEGIN CERTIFICATE-----
MIIErjCCApagAwIBAgIRAKq/xeP [...]
-----END CERTIFICATE-----
2019/07/24 13:55:16 HTTP server serving on :8080

How to reproduce it (as minimally and precisely as possible):

helm install stable/sealed-secrets --version 1.3.0

Anything else we need to know:
Adding the "list" privilege to templates/roles.yaml solved the issue for me.

unix% diff -ub stable~/sealed-secrets/templates/roles.yaml stable/sealed-secrets/templates/roles.yaml
--- stable~/sealed-secrets/templates/roles.yaml 2019-07-24 16:17:27.000000000 +0200
+++ stable/sealed-secrets/templates/roles.yaml  2019-07-24 16:17:33.000000000 +0200
@@ -28,3 +28,4 @@
   - secrets
   verbs:
   - create
+  - list

The issue is related to this change on sealed-secrets side:
bitnami-labs/sealed-secrets@b21c589

Edit:
Just a quick note, I've also had to patch templates/clusterrole.yaml:

unix% diff -ub clusterrole.yaml~ clusterrole.yaml
--- clusterrole.yaml~   2019-07-24 18:44:44.000000000 +0200
+++ clusterrole.yaml    2019-07-24 18:44:39.000000000 +0200
@@ -26,3 +26,10 @@
   - create
   - update
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

and am now stuck at

2019/07/24 16:50:01 Updating my-service/regcred                           
2019/07/24 16:50:01 Error updating my-service/regcred, will retry: secrets
"regcred" is forbidden: User "system:serviceaccount:kube-system:sealed-secrets"
cannot get resource "secrets" in API group "" in the namespace "my-service"

Version v0.8.0 and the helm chart seem to have diverged considerably, I'll continue investigating tomorrow.