From 146072878ba89458a9ca23616435b8f4dc545d64 Mon Sep 17 00:00:00 2001
From: iverly <github@iverly.net>
Date: Mon, 22 Apr 2024 10:29:04 +0200
Subject: [PATCH] feat(tenant): allow hello world team only deployment, service
 and ingress

Signed-off-by: iverly <github@iverly.net>
---
 tenants/hello-world-team/rbac.yaml | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/tenants/hello-world-team/rbac.yaml b/tenants/hello-world-team/rbac.yaml
index 6d2fd20..b6a21e1 100644
--- a/tenants/hello-world-team/rbac.yaml
+++ b/tenants/hello-world-team/rbac.yaml
@@ -8,6 +8,24 @@ metadata:
   namespace: hello-world-app
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: hello-world-team
+  name: hello-world-team-role
+  namespace: hello-world-app
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["apps", "extensions"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
@@ -16,12 +34,9 @@ metadata:
   namespace: hello-world-app
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
+  kind: Role
+  name: hello-world-team-role
 subjects:
-  - apiGroup: rbac.authorization.k8s.io
-    kind: User
-    name: gotk:hello-world-team:reconciler
   - kind: ServiceAccount
     name: hello-world-team
     namespace: hello-world-app