feat: add ClusterRole for customer provisioning, register DOCR helm repo, remove stale test customer

customers/test.yaml

@@ -1,26 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: customer-test
-  namespace: argocd
-spec:
-  project: default
-  sources:
-    - repoURL: git.lunarfront.tech/ryan/lunarfront-app
-      chart: lunarfront
-      targetRevision: "latest"
-      helm:
-        valueFiles:
-          - $values/customers/test.yaml
-    - repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git
-      targetRevision: main
-      ref: values
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: customer-test
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true

manager/rbac.yaml

@@ -4,6 +4,7 @@ metadata:
   name: manager
   namespace: manager
 ---
+# pgbouncer config management
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -37,6 +38,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   name: manager-pgbouncer
 ---
+# ArgoCD application management
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -60,3 +62,29 @@ roleRef:
   kind: Role
   apiGroup: rbac.authorization.k8s.io
   name: manager-argocd
+---
+# Cluster-wide: create/delete customer namespaces and manage secrets within them
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-customer-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "delete", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-customer-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: manager
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: manager-customer-provisioner