a9ad3d8304
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
CI / Woodpecker: - Add explicit depends_on to all .woodpecker.yml steps (rdev + templates) - Fix skip_tls_verify -> skip-tls-verify (correct Kaniko flag name) - Add replicasets get/list to deployer RBAC for rollout status - Skeleton template: add failure:ignore on docs steps, Traefik TLS annotations on ingress, depends_on on verify step Component templates: - Fix container name in deploy steps (PROJECT_NAME-COMPONENT_NAME) - Replace kubectl scale with kubectl patch for replicas - Add post-deploy image verification and rollout status checks - Applied consistently across all 5 component templates Adapters: - gitea: Add HTTP client timeout (30s), context cancellation checks, handle 404 on GetRepo/DeleteRepo - zot: Add retry with exponential backoff (doWithRetry), limit response body reads to 10MB - cockroach: Use net.JoinHostPort for IPv6-safe DSN construction - woodpecker: Fix error wrapping (%v -> %w) - redis: Fix error wrapping (%v -> %w) - deployer: Add context cancellation checks Services: - apikey_service: Fix error wrapping (%v -> %w) - component_deploy: Fix error wrapping (%v -> %w) - project_infra: Fix error wrapping (%v -> %w) - webhook/dispatcher: Fix error wrapping (%v -> %w) Other: - CLAUDE.md: Add guide links for Gitea, Go 1.25, Woodpecker v3, Traefik v3, Zot registry - circuitbreaker: Add test for error wrapping - docs: Update deployment, troubleshooting, and runbook docs - health: Fix error wrapping (%v -> %w) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
# RBAC for Woodpecker CI to deploy projects
|
|
#
|
|
# The Woodpecker CI deploy step runs as the `default` ServiceAccount in the
|
|
# `threesix` namespace but needs to update deployments in the `projects`
|
|
# namespace using `kubectl set image`.
|
|
#
|
|
# This uses a namespace-scoped Role (not ClusterRole) to follow least-privilege:
|
|
# permissions are restricted to the `projects` namespace only.
|
|
#
|
|
# Without this, deploy steps fail with:
|
|
# Error from server (Forbidden): deployments.apps "project-name" is forbidden:
|
|
# User "system:serviceaccount:threesix:default" cannot patch resource
|
|
# "deployments" in API group "apps" in the namespace "projects"
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: woodpecker-deployer
|
|
namespace: projects # Scoped to projects namespace only
|
|
labels:
|
|
app.kubernetes.io/name: woodpecker-deployer
|
|
app.kubernetes.io/part-of: rdev
|
|
rules:
|
|
# Deploy steps: set image, patch replicas, verify rollout
|
|
# - get/list: read deployment and replicaset state
|
|
# - patch: kubectl set image, kubectl patch (replicas)
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "patch"]
|
|
# rollout status needs to watch replicasets
|
|
- apiGroups: ["apps"]
|
|
resources: ["replicasets"]
|
|
verbs: ["get", "list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: woodpecker-deployer
|
|
namespace: projects # Binding in the target namespace
|
|
labels:
|
|
app.kubernetes.io/name: woodpecker-deployer
|
|
app.kubernetes.io/part-of: rdev
|
|
subjects:
|
|
# Woodpecker CI runs pipeline steps as the default ServiceAccount
|
|
# in the threesix namespace
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: threesix
|
|
roleRef:
|
|
kind: Role
|
|
name: woodpecker-deployer
|
|
apiGroup: rbac.authorization.k8s.io
|