# Tekton 빌드 및 트리거 공용 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-build-sa
  namespace: tekton-demo
secrets:
  - name: harbor-dockerconfig   # Harbor 인증용 Secret
imagePullSecrets:
  - name: harbor-dockerconfig   # Docker 인증 정보 사용

---
# Tekton 파이프라인 실행 및 리소스 접근 권한(Role)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tekton-build-role
  namespace: tekton-demo
rules:
  - apiGroups: ["", "apps", "tekton.dev", "triggers.tekton.dev"]
    resources: ["pods", "pipelineruns", "tasks", "events"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]

---
# RoleBinding - 해당 네임스페이스에서 tekton-build-sa에 Role 부여
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton-build-rolebinding
  namespace: tekton-demo
subjects:
  - kind: ServiceAccount
    name: tekton-build-sa
roleRef:
  kind: Role
  name: tekton-build-role
  apiGroup: rbac.authorization.k8s.io

---
# Tekton Triggers(ClusterScope)용 권한
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tekton-triggers-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "endpoints", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["triggers.tekton.dev"]
  resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
# ClusterRoleBinding - tekton-build-sa에 Triggers ClusterRole 부여
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tekton-triggers-clusterrolebinding
subjects:
  - kind: ServiceAccount
    name: tekton-build-sa
    namespace: tekton-demo
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-triggers-role