Given deployer tokens read-only access to CRDs for validation

pimterry · pimterry · commit 8dbebc680cac · 2025-12-18T16:50:18.000+01:00
diff --git a/main.tf b/main.tf
@@ -74,11 +74,25 @@ resource "kubernetes_config_map_v1" "autoscaler_priority" {
   depends_on = [scaleway_k8s_pool.primary]
 }
 
+# All projects need read-only access to CRDs for route deploys:
+resource "kubernetes_cluster_role_v1" "crd_reader" {
+  metadata {
+    name = "crd-reader-role"
+  }
+
+  rule {
+    api_groups = ["apiextensions.k8s.io"]
+    resources  = ["customresourcedefinitions"]
+    verbs      = ["get", "list"]
+  }
+}
+
 ### ---
 
 module "public_endpoint" {
   source = "./modules/k8s-project"
   name   = "public-endpoint"
+  crd_reader_role_name = kubernetes_cluster_role_v1.crd_reader.metadata[0].name
 }
 
 output "public_endpoint_deploy_token" {
@@ -89,6 +103,7 @@ output "public_endpoint_deploy_token" {
 module "accounts_api" {
   source = "./modules/k8s-project"
   name   = "accounts-api"
+  crd_reader_role_name = kubernetes_cluster_role_v1.crd_reader.metadata[0].name
 }
 
 output "accounts_api_deploy_token" {
diff --git a/modules/k8s-project/main.tf b/modules/k8s-project/main.tf
@@ -21,13 +21,13 @@ resource "kubernetes_service_account_v1" "deployer" {
   }
 }
 
+# Namespace rule: all permissions, but only in this namespace
 resource "kubernetes_role_v1" "deployer" {
   metadata {
     name      = "gh-actions-deployer-role"
     namespace = kubernetes_namespace_v1.this.metadata[0].name
   }
 
-  # All permissions, but only in this namespace
   rule {
     api_groups = ["*"]
     resources  = ["*"]
@@ -52,6 +52,25 @@ resource "kubernetes_role_binding_v1" "deployer" {
   }
 }
 
+# Cluster rule: read-only perms on CRDs, required for route deploys:
+resource "kubernetes_cluster_role_binding_v1" "deployer_crd_reader" {
+  metadata {
+    name = "${var.name}-gh-actions-deployer-crd-cluster-binding"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.crd_reader_role_name
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account_v1.deployer.metadata[0].name
+    namespace = kubernetes_namespace_v1.this.metadata[0].name
+  }
+}
+
 resource "kubernetes_secret_v1" "deployer_token" {
   metadata {
     name      = "gh-actions-deployer-token"
@@ -61,4 +80,4 @@ resource "kubernetes_secret_v1" "deployer_token" {
     }
   }
   type = "kubernetes.io/service-account-token"
-}
+}
diff --git a/modules/k8s-project/variables.tf b/modules/k8s-project/variables.tf
@@ -1,4 +1,9 @@
 variable "name" {
   description = "The name of the project/namespace"
   type        = string
+}
+
+variable "crd_reader_role_name" {
+  description = "Name of the global ClusterRole that grants CRD read permissions"
+  type        = string
 }
