ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
c6b6f8faeca759c2ecf7fc0018089295600a7440
dezky/infrastructure/production/fleet/ci/ci-deployer.yaml
T
Ronni Baslund 716d854b3d
ci / tc_portal (push) Has been skipped
Details
ci / tc_operator (push) Has been skipped
Details
ci / tc_website (push) Has been skipped
Details
ci / build_portal (push) Has been skipped
Details
ci / changes (push) Successful in 4s
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_platform_api (push) Has been skipped
Details
ci / test_platform_api (push) Has been skipped
Details
ci / build_booking (push) Has been skipped
Details
ci / build_operator (push) Has been skipped
Details
ci / build_platform_api (push) Has been skipped
Details
ci / deploy (push) Successful in 7s
Details
fix(ci): grant ci-deployer Endpoints write (admin role excludes it) 
The deploy failed creating the selectorless stalwart-http Service's
Endpoints: since the CVE-2021-25740 hardening the namespaced 'admin' role
no longer grants write on legacy Endpoints. Explicit endpoints +
endpointslices rules on the ci-deployer role (already applied live);
manifest comment touch retriggers the infra apply.
2026-06-11 08:08:42 +02:00

100 lines
3.0 KiB
YAML
Raw Blame History

# ServiceAccount the CI deploy job uses to roll out the app tier.
#
# The Gitea Actions runner lives in this cluster (see gitea-runner.yaml), so
# the deploy job in .gitea/workflows/ci.yml talks straight to the API server
# on the in-cluster service IP (https://10.43.0.1) with a kubeconfig built
# from this ServiceAccount's token. Scope: admin within dezky-apps only, plus
# the Traefik Middleware CRD ('admin' doesn't aggregate CRDs) and read/patch
# on the dezky-apps Namespace object itself (kustomization includes it).
#
# Mint the kubeconfig + store it as the KUBECONFIG_B64 Gitea repo secret —
# one-time, documented in ../README.md.
apiVersion: v1
kind: ServiceAccount
metadata:
name: ci-deployer
namespace: dezky-apps
---
# Long-lived token (k8s no longer auto-creates these for ServiceAccounts).
apiVersion: v1
kind: Secret
metadata:
name: ci-deployer-token
namespace: dezky-apps
annotations:
kubernetes.io/service-account.name: ci-deployer
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ci-deployer-admin
namespace: dezky-apps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: ci-deployer
namespace: dezky-apps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ci-deployer-traefik
namespace: dezky-apps
rules:
- apiGroups: ["traefik.io"]
resources: ["middlewares"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# 'admin' stopped granting WRITE on legacy Endpoints (CVE-2021-25740
# hardening), but the selectorless stalwart-http Service needs its
# Endpoints applied by the pipeline. EndpointSlice included for parity.
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ci-deployer-traefik
namespace: dezky-apps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ci-deployer-traefik
subjects:
- kind: ServiceAccount
name: ci-deployer
namespace: dezky-apps
---
# kubectl apply -k includes namespace.yaml; name-scoped so this SA can only
# touch the dezky-apps Namespace (create is intentionally absent — if the
# namespace is ever gone, bootstrap it by hand per the RUNBOOK).
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ci-deployer-namespace
rules:
- apiGroups: [""]
resources: ["namespaces"]
resourceNames: ["dezky-apps"]
verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ci-deployer-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ci-deployer-namespace
subjects:
- kind: ServiceAccount
name: ci-deployer
namespace: dezky-apps
Reference in New Issue View Git Blame Copy Permalink