From 5bd8b5fc129dc724fab9bac0bae49d2bc105533e Mon Sep 17 00:00:00 2001
From: Bi-Gen <lorenzosarna@gmail.com>
Date: Tue, 26 May 2026 12:12:59 +0200
Subject: [PATCH] fix: add secrets and pods RBAC rules for admin-api builder

The deployer (admin-api builder) requires access to secrets and pods
that are not included in the current wsku role definition.

Secrets are used by build_service.py:
- create_registry_secret() for docker registry auth
- get_secret() to read registry credentials
- delete_secret() to clean up after build

Pods are used by kube_api_client.py:
- get_pod_by_job_name() to find the buildkit job pod
- stream_pod_logs() to monitor build progress
- get_pod() to check pod status

Tested on k3s (lorenzo1) with Cotemar pipeline deployment.
Without these permissions the builder fails with RBAC errors.

Related: nuvolaris/projects#409
---
 deploy/nuvolaris-permissions/nuvolaris-wsku-roles.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/deploy/nuvolaris-permissions/nuvolaris-wsku-roles.yaml b/deploy/nuvolaris-permissions/nuvolaris-wsku-roles.yaml
index 101cff0..a9d4cfa 100644
--- a/deploy/nuvolaris-permissions/nuvolaris-wsku-roles.yaml
+++ b/deploy/nuvolaris-permissions/nuvolaris-wsku-roles.yaml
@@ -37,6 +37,14 @@ rules:
 - apiGroups: ["batch"]
   resources: ["jobs"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# assign the possibility to operate on secrets (admin api builder)
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# assign the possibility to monitor build pods (admin api builder)
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]
 
 ---
 kind: RoleBinding