# RBAC for runner registration initContainer
# Allows reading gitea-admin secret and listing pods in gitea namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: runner-registrar
  namespace: test-env
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-env-gitea-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["gitea-admin"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-env-gitea-reader
subjects:
  - kind: ServiceAccount
    name: runner-registrar
    namespace: test-env
roleRef:
  kind: ClusterRole
  name: test-env-gitea-reader
  apiGroup: rbac.authorization.k8s.io