apiVersion: v1
kind: ServiceAccount
metadata:
  name: manager
  namespace: manager
---
# pgbouncer config management
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: manager-pgbouncer
  namespace: pgbouncer
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["pgbouncer-config"]
    verbs: ["get", "patch"]
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["pgbouncer-userlist"]
    verbs: ["get", "patch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    resourceNames: ["pgbouncer"]
    verbs: ["get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manager-pgbouncer
  namespace: pgbouncer
subjects:
  - kind: ServiceAccount
    name: manager
    namespace: manager
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: manager-pgbouncer
---
# ArgoCD application management
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: manager-argocd
  namespace: argocd
rules:
  - apiGroups: ["argoproj.io"]
    resources: ["applications"]
    verbs: ["get", "create", "delete", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manager-argocd
  namespace: argocd
subjects:
  - kind: ServiceAccount
    name: manager
    namespace: manager
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: manager-argocd
---
# Dev pod management
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: manager-dev
  namespace: dev
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "patch", "update"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["dev-secrets"]
    verbs: ["get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manager-dev
  namespace: dev
subjects:
  - kind: ServiceAccount
    name: manager
    namespace: manager
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: manager-dev
---
# Cluster-wide: create/delete customer namespaces and manage secrets within them
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: manager-customer-provisioner
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "create", "delete"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create", "delete", "patch"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: manager-customer-provisioner
subjects:
  - kind: ServiceAccount
    name: manager
    namespace: manager
roleRef:
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
  name: manager-customer-provisioner