From adec2c135ff1076afb607612eab1fe6ca410dd8f Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 4 Jun 2026 14:38:16 +0000 Subject: [PATCH] fix(novelapp): also bind gheorghe's dashboard SA to novelapp admin His app lives in novelapp, but the dashboard injects his SA token (system:serviceaccount:vabbit81:dashboard-vabbit81), while the existing binding only granted the OIDC User vabbit81@gmail.com (OIDC blocked). Add the SA as a second subject so the web dashboard (token-injector) can manage novelapp. Verified: SA can list/create in novelapp; injector path returns 200. Co-Authored-By: Claude Opus 4.8 --- stacks/novelapp/main.tf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf index fe50a66f..63269ff2 100644 --- a/stacks/novelapp/main.tf +++ b/stacks/novelapp/main.tf @@ -245,7 +245,11 @@ module "ingress" { } } -# RBAC — grant vabbit81 (Gheorghe) admin access to novelapp namespace +# RBAC — grant vabbit81 (Gheorghe) admin access to novelapp namespace. +# Two subjects: the OIDC User (for kubectl/kubelogin, once apiserver OIDC works) +# AND his dashboard ServiceAccount (the web dashboard injects this SA's token — +# see stacks/k8s-dashboard/dashboard_injector.tf — so it needs the grant too, +# since the apiserver sees the SA, not the email, as the subject). resource "kubernetes_role_binding" "novelapp_owner_vabbit81" { metadata { name = "novelapp-owner-vabbit81" @@ -261,6 +265,12 @@ resource "kubernetes_role_binding" "novelapp_owner_vabbit81" { kind = "User" name = "vabbit81@gmail.com" } + subject { + api_group = "" + kind = "ServiceAccount" + name = "dashboard-vabbit81" + namespace = "vabbit81" + } } # Sealed Secrets — encrypted secrets safe to commit to git