32d50a6952
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Make postgres and redis provisioning idempotent: return success when already provisioned with credentials stored, allowing cookbook trees to safely include explicit add-db/add-redis steps alongside auto-provisioned project creation - Update tests to reflect new idempotent behavior - Consolidate docs CI into single multi-stage Docker build (remove separate build-docs step; Dockerfile.nginx now builds Slate then serves with nginx) - Delete redundant skeleton docs/Dockerfile (replaced by multi-stage nginx image) - Add watch verb to woodpecker-deployer RBAC (required by kubectl rollout status) - Aeries Daeya cookbook: add public discovery feed (/) + character profiles (/c/:handle), characters.published/handle/tagline fields, dark pink design system, /studio/* routes, verify-public-discovery + verify-otp-endpoint smoke test steps - Fix Input.tsx: remove non-existent --border-hover CSS variable hover effect
57 lines
2.0 KiB
YAML
57 lines
2.0 KiB
YAML
# RBAC for Woodpecker CI to deploy projects
|
|
#
|
|
# The Woodpecker CI deploy step runs as the `default` ServiceAccount in the
|
|
# `threesix` namespace but needs to update deployments in the `projects`
|
|
# namespace using `kubectl set image`.
|
|
#
|
|
# This uses a namespace-scoped Role (not ClusterRole) to follow least-privilege:
|
|
# permissions are restricted to the `projects` namespace only.
|
|
#
|
|
# Without this, deploy steps fail with:
|
|
# Error from server (Forbidden): deployments.apps "project-name" is forbidden:
|
|
# User "system:serviceaccount:threesix:default" cannot patch resource
|
|
# "deployments" in API group "apps" in the namespace "projects"
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: woodpecker-deployer
|
|
namespace: projects # Scoped to projects namespace only
|
|
labels:
|
|
app.kubernetes.io/name: woodpecker-deployer
|
|
app.kubernetes.io/part-of: rdev
|
|
rules:
|
|
# Deploy steps: set image, patch replicas, verify rollout
|
|
# - get/list/watch: read deployment and replicaset state (watch required by kubectl rollout status)
|
|
# - patch: kubectl set image, kubectl patch (replicas)
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "patch", "watch"]
|
|
# rollout status watches replicasets to track new/old replica counts
|
|
- apiGroups: ["apps"]
|
|
resources: ["replicasets"]
|
|
verbs: ["get", "list", "watch"]
|
|
# rollout status watches pods to detect readiness and crash loops
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: woodpecker-deployer
|
|
namespace: projects # Binding in the target namespace
|
|
labels:
|
|
app.kubernetes.io/name: woodpecker-deployer
|
|
app.kubernetes.io/part-of: rdev
|
|
subjects:
|
|
# Woodpecker CI runs pipeline steps as the default ServiceAccount
|
|
# in the threesix namespace
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: threesix
|
|
roleRef:
|
|
kind: Role
|
|
name: woodpecker-deployer
|
|
apiGroup: rbac.authorization.k8s.io
|