# RBAC for Woodpecker CI to deploy projects
#
# The Woodpecker CI deploy step runs as the `default` ServiceAccount in the
# `threesix` namespace but needs to update deployments in the `projects`
# namespace using `kubectl set image`.
#
# This uses a namespace-scoped Role (not ClusterRole) to follow least-privilege:
# permissions are restricted to the `projects` namespace only.
#
# Without this, deploy steps fail with:
#   Error from server (Forbidden): deployments.apps "project-name" is forbidden:
#   User "system:serviceaccount:threesix:default" cannot patch resource
#   "deployments" in API group "apps" in the namespace "projects"

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: woodpecker-deployer
  namespace: projects  # Scoped to projects namespace only
  labels:
    app.kubernetes.io/name: woodpecker-deployer
    app.kubernetes.io/part-of: rdev
rules:
  # Deploy steps: set image, patch replicas, verify rollout
  # - get/list/watch: read deployment and replicaset state (watch required by kubectl rollout status)
  # - patch: kubectl set image, kubectl patch (replicas)
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "patch", "watch"]
  # rollout status watches replicasets to track new/old replica counts
  - apiGroups: ["apps"]
    resources: ["replicasets"]
    verbs: ["get", "list", "watch"]
  # rollout status watches pods to detect readiness and crash loops
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: woodpecker-deployer
  namespace: projects  # Binding in the target namespace
  labels:
    app.kubernetes.io/name: woodpecker-deployer
    app.kubernetes.io/part-of: rdev
subjects:
  # Woodpecker CI runs pipeline steps as the default ServiceAccount
  # in the threesix namespace
  - kind: ServiceAccount
    name: default
    namespace: threesix
roleRef:
  kind: Role
  name: woodpecker-deployer
  apiGroup: rbac.authorization.k8s.io