fix(rbac): grant get on configmaps/secrets to jobs-manager SA

[shujaatTracebloc]

Summary

The ingestion endpoint (POST /internal/submit-ingestion-run) on jobs-manager reads the existing ConfigMap/Secret on a create-409 to verify content before reuse:

• orphan-resource verify (client-runtime#52) — _verify_existing_configmap_matches / _verify_existing_secret_matches
• missing-row self-heal (client-runtime#54) — _self_heal_or_concurrent_conflict

Both call read_namespaced_config_map / read_namespaced_secret, which require the get verb. The Role/ClusterRole only granted create, so on the real cluster those reads return Forbidden and the endpoint returns 500 instead of the intended 409 / 200-replay.

Fix

Add get alongside create on ["configmaps", "secrets"] in both the ClusterRole (clusterScope: true) and namespace Role (clusterScope: false) branches of client/templates/rbac.yaml.

Verification (dev cluster tb-client-dev-templates)

Reproduced live: with only create, planting an orphan ConfigMap + re-POSTing returned:

HTTP 500 {"error":"failed to read existing ConfigMap '…' after 409: Forbidden"}

After temporarily granting get, the same requests returned the intended results — orphan-content mismatch → 409, matching content → 201/200 replay, and #54's self-heal → 200 replay. This PR makes that grant permanent.

• helm template renders cleanly in both clusterScope branches with verbs: ["create", "get"].

Unblocks the orphan-recovery / self-heal paths shipped in client-runtime #52 and #54, which are non-functional in dev/prod until this lands.

🤖 Generated with Claude Code

---

Note

Low Risk
Small, scoped RBAC verb addition on resources the SA already creates; fixes broken 409/replay paths without changing auth or ingestion logic.

Overview
Grants the jobs-manager service account get on configmaps and secrets (in addition to create) in client/templates/rbac.yaml, for both clusterScope: true (ClusterRole) and clusterScope: false (namespace Role).

That permission is needed when ingestion creates a ConfigMap/Secret and Kubernetes returns 409: jobs-manager must read the existing object to verify content (orphan recovery) or self-heal/replay. Without get, those reads fail with Forbidden and POST /internal/submit-ingestion-run returns 500 instead of the intended 409 or replay behavior from client-runtime #52 / #54.

^{Reviewed by Cursor Bugbot for commit 1070ca1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[LukasWodka]

👋 Heads-up — Code review queue is at 19 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#98 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• cli#18 — docs: refresh README + stale --help strings for shipped v0.1 · author: @aptracebloc · reviewer: @LukasWodka
• client#180 — fix(resource-monitor): always grant read-only ClusterRole (decouple from clusterScope) · author: @shujaatTracebloc · reviewer: @saadqbal
• client-runtime#45 — Staging: Enhance jobs-manager with HTTP proxy, ingestion endpoint, and fixes · author: @saadqbal · no reviewer assigned
• client-runtime#61 — docs: record MySQL credential threat-model decision · author: @saadqbal · no reviewer assigned
• client-runtime#67 — ci: publish jobs-manager images on merge (closes the deploy-delivery gap) · author: @LukasWodka · no reviewer assigned
• client-runtime#68 — fix(pods-monitor): watch the release namespace, not hardcoded "default" · author: @shujaatTracebloc · no reviewer assigned
• client-runtime#70 — fix(Helm chart auto-update — deployed clients stay frozen on installed version #69): don't evict SB sender on payload serialize fail; drop redundant COPY · author: @saadqbal · no reviewer assigned
• design-system#19 — fix: un-track coverage/ and node_modules/ from git · author: @LukasWodka · no reviewer assigned
• design-system#22 — ci: add Vitest test workflow · author: @LukasWodka · reviewer: @aptracebloc

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)