# RBAC for rdev-api to exec into claudebox pods
# v0.4 - API Server

apiVersion: v1
kind: ServiceAccount
metadata:
  name: rdev-api
  namespace: rdev
  labels:
    app.kubernetes.io/name: rdev-api
    app.kubernetes.io/part-of: rdev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: rdev-api
  namespace: rdev
  labels:
    app.kubernetes.io/name: rdev-api
    app.kubernetes.io/part-of: rdev
rules:
  # List and get pods (for project discovery and status)
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

  # Execute commands in pods
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]

  # Read pod logs (for debugging)
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rdev-api
  namespace: rdev
  labels:
    app.kubernetes.io/name: rdev-api
    app.kubernetes.io/part-of: rdev
subjects:
  - kind: ServiceAccount
    name: rdev-api
    namespace: rdev
roleRef:
  kind: Role
  name: rdev-api
  apiGroup: rbac.authorization.k8s.io
---
# RBAC for Woodpecker CI to deploy to rdev namespace
# Allows CI service accounts to apply deployment patches and watch rollout status
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: woodpecker-deployer
  namespace: rdev
  labels:
    app.kubernetes.io/name: woodpecker-deployer
    app.kubernetes.io/part-of: rdev
rules:
  - apiGroups: ["apps"]
    resources: ["deployments", "statefulsets"]
    verbs: ["get", "list", "patch", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: woodpecker-deployer
  namespace: rdev
  labels:
    app.kubernetes.io/name: woodpecker-deployer
    app.kubernetes.io/part-of: rdev
subjects:
  - kind: ServiceAccount
    name: default
    namespace: rdev
  - kind: ServiceAccount
    name: default
    namespace: threesix
roleRef:
  kind: Role
  name: woodpecker-deployer
  apiGroup: rbac.authorization.k8s.io