diff --git a/customers/test.yaml b/customers/test.yaml deleted file mode 100644 index 7711fc6..0000000 --- a/customers/test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: customer-test - namespace: argocd -spec: - project: default - sources: - - repoURL: git.lunarfront.tech/ryan/lunarfront-app - chart: lunarfront - targetRevision: "latest" - helm: - valueFiles: - - $values/customers/test.yaml - - repoURL: ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git - targetRevision: main - ref: values - destination: - server: https://kubernetes.default.svc - namespace: customer-test - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/manager/rbac.yaml b/manager/rbac.yaml index 50246dc..163190d 100644 --- a/manager/rbac.yaml +++ b/manager/rbac.yaml @@ -4,6 +4,7 @@ metadata: name: manager namespace: manager --- +# pgbouncer config management apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -37,6 +38,7 @@ roleRef: apiGroup: rbac.authorization.k8s.io name: manager-pgbouncer --- +# ArgoCD application management apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -60,3 +62,29 @@ roleRef: kind: Role apiGroup: rbac.authorization.k8s.io name: manager-argocd +--- +# Cluster-wide: create/delete customer namespaces and manage secrets within them +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-customer-provisioner +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create", "delete", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-customer-provisioner +subjects: + - kind: ServiceAccount + name: manager + namespace: manager +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: manager-customer-provisioner