fix: improper role permissions
diff --git a/roles/atmosphere/tasks/main.yml b/roles/atmosphere/tasks/main.yml
index 7d95c22..933f72c 100644
--- a/roles/atmosphere/tasks/main.yml
+++ b/roles/atmosphere/tasks/main.yml
@@ -2,6 +2,8 @@
   kubernetes.core.k8s:
     state: present
     template:
+      - cluster_role.yml
+      - cluster_role_binding.yml
       - namespace.yml
       - role.yml
       - service_account.yml
diff --git a/roles/atmosphere/templates/cluster_role.yml b/roles/atmosphere/templates/cluster_role.yml
new file mode 100644
index 0000000..72f1301
--- /dev/null
+++ b/roles/atmosphere/templates/cluster_role.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: atmosphere
+rules:
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["helmrepositories"]
+    verbs: ["get", "create", "patch"]
diff --git a/roles/atmosphere/templates/cluster_role_binding.yml b/roles/atmosphere/templates/cluster_role_binding.yml
new file mode 100644
index 0000000..db8ce31
--- /dev/null
+++ b/roles/atmosphere/templates/cluster_role_binding.yml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: atmosphere
+subjects:
+  - kind: ServiceAccount
+    name: atmosphere
+    namespace: openstack
+roleRef:
+  kind: ClusterRole
+  name: atmosphere
+  apiGroup: rbac.authorization.k8s.io