# ServiceAccount the CI deploy job uses to roll out the app tier.
#
# The Gitea Actions runner lives in this cluster (see gitea-runner.yaml), so
# the deploy job in .gitea/workflows/ci.yml talks straight to the API server
# on the in-cluster service IP (https://10.43.0.1) with a kubeconfig built
# from this ServiceAccount's token. Scope: admin within dezky-apps only, plus
# the Traefik Middleware CRD ('admin' doesn't aggregate CRDs) and read/patch
# on the dezky-apps Namespace object itself (kustomization includes it).
#
# Mint the kubeconfig + store it as the KUBECONFIG_B64 Gitea repo secret —
# one-time, documented in ../README.md.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ci-deployer
  namespace: dezky-apps
---
# Long-lived token (k8s no longer auto-creates these for ServiceAccounts).
apiVersion: v1
kind: Secret
metadata:
  name: ci-deployer-token
  namespace: dezky-apps
  annotations:
    kubernetes.io/service-account.name: ci-deployer
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ci-deployer-admin
  namespace: dezky-apps
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
  - kind: ServiceAccount
    name: ci-deployer
    namespace: dezky-apps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ci-deployer-traefik
  namespace: dezky-apps
rules:
  - apiGroups: ["traefik.io"]
    resources: ["middlewares"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  # 'admin' stopped granting WRITE on legacy Endpoints (CVE-2021-25740
  # hardening), but the selectorless stalwart-http Service needs its
  # Endpoints applied by the pipeline. EndpointSlice included for parity.
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ci-deployer-traefik
  namespace: dezky-apps
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ci-deployer-traefik
subjects:
  - kind: ServiceAccount
    name: ci-deployer
    namespace: dezky-apps
---
# kubectl apply -k includes namespace.yaml; name-scoped so this SA can only
# touch the dezky-apps Namespace (create is intentionally absent — if the
# namespace is ever gone, bootstrap it by hand per the RUNBOOK).
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ci-deployer-namespace
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    resourceNames: ["dezky-apps"]
    verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ci-deployer-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ci-deployer-namespace
subjects:
  - kind: ServiceAccount
    name: ci-deployer
    namespace: dezky-apps