From 716d854b3d87598b157c9ae3bd9943ef0de7de8e Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Thu, 11 Jun 2026 08:08:42 +0200
Subject: [PATCH] fix(ci): grant ci-deployer Endpoints write (admin role
 excludes it)

The deploy failed creating the selectorless stalwart-http Service's
Endpoints: since the CVE-2021-25740 hardening the namespaced 'admin' role
no longer grants write on legacy Endpoints. Explicit endpoints +
endpointslices rules on the ci-deployer role (already applied live);
manifest comment touch retriggers the infra apply.
---
 .../production/fleet/apps/mail-autodiscovery.yaml        | 3 +++
 infrastructure/production/fleet/ci/ci-deployer.yaml      | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/infrastructure/production/fleet/apps/mail-autodiscovery.yaml b/infrastructure/production/fleet/apps/mail-autodiscovery.yaml
index 86fcc7e..acc5177 100644
--- a/infrastructure/production/fleet/apps/mail-autodiscovery.yaml
+++ b/infrastructure/production/fleet/apps/mail-autodiscovery.yaml
@@ -15,6 +15,9 @@
 #
 # Customer domains (autodiscover.<customer>.tld) need per-domain certs and an
 # automated Ingress/Certificate per verified domain — follow-up feature.
+#
+# NB: the ci-deployer Role carries explicit Endpoints write — the namespaced
+# 'admin' role stopped granting it (CVE-2021-25740 hardening).
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/infrastructure/production/fleet/ci/ci-deployer.yaml b/infrastructure/production/fleet/ci/ci-deployer.yaml
index fc8b420..9e4fe9e 100644
--- a/infrastructure/production/fleet/ci/ci-deployer.yaml
+++ b/infrastructure/production/fleet/ci/ci-deployer.yaml
@@ -48,6 +48,15 @@ rules:
   - apiGroups: ["traefik.io"]
     resources: ["middlewares"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  # 'admin' stopped granting WRITE on legacy Endpoints (CVE-2021-25740
+  # hardening), but the selectorless stalwart-http Service needs its
+  # Endpoints applied by the pipeline. EndpointSlice included for parity.
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding