jordan/rdev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cee736e781
rdev/deployments/k8s/base/woodpecker-deployer-rbac.yaml
jordan 34e72687e6 feat: Complete automation gaps for repeatable project deployments 
- Initial K8s deployment auto-creation during project creation
- DNS record upsert support (create or update existing records)
- Ingress host management for domain aliases (AddIngressHost/RemoveIngressHost)
- Woodpecker deployer RBAC manifest for CI deploy steps
- Single-commit template seeding via Gitea bulk file API

Closes automation gaps exposed during www.threesix.ai launch:
- Projects now auto-create K8s Deployment/Service/Ingress on creation
- Domain aliases automatically update both DNS and K8s ingress
- CI deploy steps work without manual RBAC setup
- Template seeding triggers only one CI pipeline (not per-file)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 15:18:31 -07:00

50 lines
1.7 KiB
YAML
Raw Blame History

# RBAC for Woodpecker CI to deploy projects
#
# The Woodpecker CI deploy step runs as the `default` ServiceAccount in the
# `threesix` namespace but needs to update deployments in the `projects`
# namespace using `kubectl set image`.
#
# This uses a namespace-scoped Role (not ClusterRole) to follow least-privilege:
# permissions are restricted to the `projects` namespace only.
#
# Without this, deploy steps fail with:
# Error from server (Forbidden): deployments.apps "project-name" is forbidden:
# User "system:serviceaccount:threesix:default" cannot patch resource
# "deployments" in API group "apps" in the namespace "projects"
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: woodpecker-deployer
namespace: projects # Scoped to projects namespace only
labels:
app.kubernetes.io/name: woodpecker-deployer
app.kubernetes.io/part-of: rdev
rules:
# Minimal permissions for `kubectl set image` on deployments
# - get: Required to read current deployment state
# - list: Required for kubectl to find the deployment
# - patch: Required for `kubectl set image` to update the container image
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: woodpecker-deployer
namespace: projects # Binding in the target namespace
labels:
app.kubernetes.io/name: woodpecker-deployer
app.kubernetes.io/part-of: rdev
subjects:
# Woodpecker CI runs pipeline steps as the default ServiceAccount
# in the threesix namespace
- kind: ServiceAccount
name: default
namespace: threesix
roleRef:
kind: Role
name: woodpecker-deployer
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink