# ---- Namespace ----
apiVersion: v1
kind: Namespace
metadata:
  name: code-system
---
# ---- ServiceAccount ----
apiVersion: v1
kind: ServiceAccount
metadata:
  name: code-operator
  namespace: code-system
---
# ---- RBAC: Role ----
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: code-operator
  namespace: code-system
rules:
  # CRDs we manage
  - apiGroups: ["code.dev"]
    resources: ["apps", "gitservers", "emailworkers", "githooks", "migrates"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  # Status subresources
  - apiGroups: ["code.dev"]
    resources: ["apps/status", "gitservers/status", "emailworkers/status", "githooks/status", "migrates/status"]
    verbs: ["get", "patch", "update"]

  # Child resources managed by App
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  # Child resources managed by GitServer
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  # Child resources managed by GitHook
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  # Child resources managed by Migrate
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]

  # Secrets (read-only for env var resolution)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
---
# ---- RBAC: RoleBinding ----
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: code-operator
  namespace: code-system
subjects:
  - kind: ServiceAccount
    name: code-operator
    namespace: code-system
roleRef:
  kind: Role
  name: code-operator
  apiGroup: rbac.authorization.k8s.io
---
# ---- Deployment ----
apiVersion: apps/v1
kind: Deployment
metadata:
  name: code-operator
  namespace: code-system
  labels:
    app.kubernetes.io/name: code-operator
    app.kubernetes.io/managed-by: code-operator
    app.kubernetes.io/part-of: code-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: code-operator
  template:
    metadata:
      labels:
        app.kubernetes.io/name: code-operator
        app.kubernetes.io/managed-by: code-operator
        app.kubernetes.io/part-of: code-system
    spec:
      serviceAccountName: code-operator
      terminationGracePeriodSeconds: 10
      volumes:
        - name: tmp
          emptyDir: {}
      containers:
        - name: operator
          image: myapp/operator:latest
          imagePullPolicy: IfNotPresent
          env:
            - name: OPERATOR_IMAGE_PREFIX
              value: "myapp/"
            - name: OPERATOR_LOG_LEVEL
              value: "info"
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 10m
              memory: 64Mi
            limits:
              memory: 256Mi
          volumeMounts:
            - name: tmp
              mountPath: /tmp
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL