From 70143fa1cdd519daa00b42b59e334c0b9d15d9b5 Mon Sep 17 00:00:00 2001
From: jordan <jordan.washburn@gmail.com>
Date: Mon, 9 Feb 2026 01:14:00 -0700
Subject: [PATCH] fix(ci): add watch permission for Woodpecker CI deployments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Woodpecker CI was timing out when watching deployment rollout status
due to missing RBAC permissions. The deployments were succeeding but
CI couldn't verify completion.

Changes:
- Add 'watch' verb to woodpecker-deployer Role
- Add threesix/default service account to RoleBinding
- Consolidate woodpecker-deployer RBAC into base/rbac.yaml

This resolves the "Failed to watch: deployments.apps is forbidden"
errors in CI logs while maintaining successful deployment rollouts.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 deployments/k8s/base/rbac.yaml | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/deployments/k8s/base/rbac.yaml b/deployments/k8s/base/rbac.yaml
index 0900d03..78db56d 100644
--- a/deployments/k8s/base/rbac.yaml
+++ b/deployments/k8s/base/rbac.yaml
@@ -50,3 +50,38 @@ roleRef:
   kind: Role
   name: rdev-api
   apiGroup: rbac.authorization.k8s.io
+---
+# RBAC for Woodpecker CI to deploy to rdev namespace
+# Allows CI service accounts to apply deployment patches and watch rollout status
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: woodpecker-deployer
+  namespace: rdev
+  labels:
+    app.kubernetes.io/name: woodpecker-deployer
+    app.kubernetes.io/part-of: rdev
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: woodpecker-deployer
+  namespace: rdev
+  labels:
+    app.kubernetes.io/name: woodpecker-deployer
+    app.kubernetes.io/part-of: rdev
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: rdev
+  - kind: ServiceAccount
+    name: default
+    namespace: threesix
+roleRef:
+  kind: Role
+  name: woodpecker-deployer
+  apiGroup: rbac.authorization.k8s.io