---
# ServiceAccount used by the Pingora pod.
# The watcher in sunbeam-proxy uses in-cluster credentials (this SA's token) to
# watch the pingora-tls Secret and pingora-config ConfigMap for changes.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pingora
  namespace: ingress
---
# Minimal read-only role: list+watch on the two objects that drive cert reloads.
# Scoped to the ingress namespace by the Role kind (not ClusterRole).
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pingora-watcher
  namespace: ingress
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  # Ingresses are watched to route cert-manager HTTP-01 challenges to the
  # correct per-domain solver pod (one Ingress per challenge, created by
  # cert-manager with the exact token path and solver Service name).
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pingora-watcher
  namespace: ingress
subjects:
  - kind: ServiceAccount
    name: pingora
    namespace: ingress
roleRef:
  kind: Role
  name: pingora-watcher
  apiGroup: rbac.authorization.k8s.io