From a9040239a32e7981a0fc320abbec499ad4a0c9d9 Mon Sep 17 00:00:00 2001
From: Bi-Gen <lorenzosarna@gmail.com>
Date: Tue, 26 May 2026 12:26:55 +0200
Subject: [PATCH] fix: add secrets and pods RBAC rules for admin-api builder

The deployer (admin-api builder) requires access to secrets and pods
that are not included in the current wsku role definition.

Secrets are used by build_service.py:
- create_registry_secret() for docker registry auth
- get_secret() to read registry credentials
- delete_secret() to clean up after build

Pods are used by kube_api_client.py:
- get_pod_by_job_name() to find the buildkit job pod
- stream_pod_logs() to monitor build progress
- get_pod() to check pod status

Mirrors apache/openserverless-operator#101.
Tested on k3s (lorenzo1) with Cotemar pipeline deployment.

Related: nuvolaris/projects#409
---
 setup/kubernetes/roles/nuvolaris-wsku-roles.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/setup/kubernetes/roles/nuvolaris-wsku-roles.yaml b/setup/kubernetes/roles/nuvolaris-wsku-roles.yaml
index 101cff0..a9d4cfa 100644
--- a/setup/kubernetes/roles/nuvolaris-wsku-roles.yaml
+++ b/setup/kubernetes/roles/nuvolaris-wsku-roles.yaml
@@ -37,6 +37,14 @@ rules:
 - apiGroups: ["batch"]
   resources: ["jobs"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# assign the possibility to operate on secrets (admin api builder)
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# assign the possibility to monitor build pods (admin api builder)
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]
 
 ---
 kind: RoleBinding