vikingowl
d8e17ee22e
ITSH Cloud's multi-tenant model forbids tenants from creating Roles or RoleBindings, so the custom least-privilege Role we shipped can't be applied. The pre-provisioned 'tenant-2' ServiceAccount in the tenant namespace already carries the necessary secret-patch permission, so we just point the CronJob at it. Also fixes the kustomize commonLabels -> labels deprecation.
25 lines
909 B
YAML
25 lines
909 B
YAML
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
namespace: tenant-2
|
|
|
|
labels:
|
|
- includeSelectors: true
|
|
pairs:
|
|
app.kubernetes.io/name: claude-matrix-bot-reset-watcher
|
|
app.kubernetes.io/part-of: claude-tooling
|
|
|
|
resources:
|
|
- configmap.yaml
|
|
- pvc.yaml
|
|
- cronjob.yaml
|
|
# Bring your own real secrets out-of-band:
|
|
# kubectl -n tenant-2 create secret generic claude-matrix-bot-anthropic-tokens ...
|
|
# kubectl -n tenant-2 create secret generic claude-matrix-bot-matrix-creds ...
|
|
# The *.example.yaml files in this dir are NOT included in kustomize on purpose.
|
|
#
|
|
# RBAC (Role/RoleBinding/ServiceAccount) is not managed here because ITSH Cloud's
|
|
# multi-tenant model forbids tenants from creating those resources. The CronJob runs
|
|
# under the pre-provisioned `tenant-2` ServiceAccount, which already has the needed
|
|
# secret-patch permission for token refresh.
|