apiVersion: v1
kind: ServiceAccount
metadata:
  name: appliance-control-plane
  namespace: alga-appliance-control-plane
  labels:
    app.kubernetes.io/name: appliance-control-plane
    app.kubernetes.io/part-of: alga-appliance
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: appliance-control-plane-setup-admin
  labels:
    app.kubernetes.io/name: appliance-control-plane
    app.kubernetes.io/part-of: alga-appliance
  annotations:
    alga.nineminds.com/rbac-rationale: >-
      The v1 Kubernetes-hosted setup control plane shells out to kubectl and
      flux to install storage, Flux controllers, CRDs, namespaces, RBAC,
      HelmReleases, and bootstrap jobs. Keep this explicit allowlist broad
      enough for those setup operations, but avoid binding the service account
      to Kubernetes cluster-admin. Narrow further once setup-engine moves from
      shell commands to typed in-cluster API operations.
rules:
  - apiGroups: [""]
    resources: ["namespaces", "configmaps", "secrets", "services", "serviceaccounts", "persistentvolumeclaims", "persistentvolumes", "pods", "pods/log", "events", "resourcequotas", "limitranges"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  # Read-only node visibility so the status snapshot can determine platform
  # readiness (a Ready node) without granting node mutation.
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete", "bind", "escalate"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["helm.toolkit.fluxcd.io"]
    resources: ["helmreleases"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["source.toolkit.fluxcd.io"]
    resources: ["gitrepositories", "helmrepositories", "ocirepositories"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["kustomize.toolkit.fluxcd.io"]
    resources: ["kustomizations"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["notification.toolkit.fluxcd.io"]
    resources: ["alerts", "providers", "receivers"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["image.toolkit.fluxcd.io"]
    resources: ["imagepolicies", "imagerepositories", "imageupdateautomations"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies", "ingresses", "ingressclasses"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: appliance-control-plane
  labels:
    app.kubernetes.io/name: appliance-control-plane
    app.kubernetes.io/part-of: alga-appliance
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: appliance-control-plane-setup-admin
subjects:
  - kind: ServiceAccount
    name: appliance-control-plane
    namespace: alga-appliance-control-plane