feat: give gitea-operator access to team namespace

linode · Feb 7, 2025 · a2012da · a2012da
1 parent d1dafbc
commit a2012da
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 26 deletions.
diff --git a/charts/apl-gitea-operator/templates/rbac.yaml b/charts/apl-gitea-operator/templates/rbac.yaml
@@ -60,30 +60,4 @@ roleRef:
   name: {{ include "apl-gitea-operator.fullname" . }}-pod-exec
   apiGroup: rbac.authorization.k8s.io
 ---
-# Role for managing service accounts in gitea namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "apl-gitea-operator.fullname" . }}-service-accounts
-  namespace: gitea
-rules:
-# Allows the operator to create, get and list secrets in the gitea namespace. This is necessary to create service accounts for build in harbor.
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "get", "list"]
----
-# RoleBinding for the above Role in gitea namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "apl-gitea-operator.fullname" . }}-service-accounts
-  namespace: gitea
-subjects:
-- kind: ServiceAccount
-  namespace: {{ .Release.Namespace }}
-  name: {{ include "apl-gitea-operator.serviceAccountName" . }}
-roleRef:
-  kind: Role
-  name: {{ include "apl-gitea-operator.fullname" . }}-service-accounts
-  apiGroup: rbac.authorization.k8s.io
 {{- end }}
diff --git a/charts/team-ns/templates/rbac.yaml b/charts/team-ns/templates/rbac.yaml
@@ -220,4 +220,31 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: tekton-triggers-createwebhook-team-{{ $v.teamId }}
+---
+# Role for managing service accounts in team namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: apl-gitea-operator-service-accounts
+  namespace: team-{{ $v.teamId }}
+rules:
+# Allows the apl-gitea-operator to create, get and list secrets in the team namespace. This is necessary to create service accounts for build in harbor.
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "list"]
+---
+# RoleBinding for the above Role in team namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: apl-gitea-operator-service-accounts
+  namespace: team-{{ $v.teamId }}
+subjects:
+- kind: ServiceAccount
+  namespace: apl-gitea-operator
+  name: apl-gitea-operator
+roleRef:
+  kind: Role
+  name: apl-gitea-operator-service-accounts
+  apiGroup: rbac.authorization.k8s.io
 ---