---
# ServiceAccount for Gitea runner (optional, if you want dedicated SA)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitea-runner
  namespace: gitea
---
# Role to manage Kaniko builds
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kaniko-builder
  namespace: kaniko-builds
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create", "get", "list", "delete"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["create", "get", "list", "watch", "delete"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "create", "update", "patch"]
---
# RoleBinding for default ServiceAccount in gitea namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitea-runner-kaniko-builder
  namespace: kaniko-builds
subjects:
- kind: ServiceAccount
  name: default
  namespace: gitea
roleRef:
  kind: Role
  name: kaniko-builder
  apiGroup: rbac.authorization.k8s.io
---
# ClusterRole to create namespaces (if needed)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-creator
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["create", "get", "list"]
---
# ClusterRoleBinding for default ServiceAccount in gitea namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitea-runner-namespace-creator
subjects:
- kind: ServiceAccount
  name: default
  namespace: gitea
roleRef:
  kind: ClusterRole
  name: namespace-creator
  apiGroup: rbac.authorization.k8s.io