{{- if .Values.database.enabled }} # Role + RoleBinding que permiten al SA de la app leer el Secret `-db-creds` # en el ns `apps`. Lo consume el InitContainer `wait-for-secret` del Job Alembic # (hook pre-install/pre-upgrade weight 0) que hace busy-wait hasta que # addon-provisioner publica el Secret tras reconciliar el AddonClaim. # # Hook weight "-7" — entre AddonClaim (-10) y SA (-5): # - Garantiza que RBAC exista antes de que el SA del hook -5 se materialice # y antes de que el Job -0 intente leer el Secret. # - delete-policy: before-hook-creation para que sea idempotente entre upgrades # sin dejar Roles huerfanos. # # Scope minimo: solo lectura (get/watch) del Secret `-db-creds`, no # secrets cluster-wide ni del ns `addons`. El root Secret de MariaDB vive en # `addons` y nunca debe ser accesible desde `apps` (ADR-052 §6.1). apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ .Release.Name }}-db-secret-reader labels: {{- include "app.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "-7" "helm.sh/hook-delete-policy": before-hook-creation rules: - apiGroups: [""] resources: ["secrets"] resourceNames: [{{ .Values.database.secretName | quote }}] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ .Release.Name }}-db-secret-reader labels: {{- include "app.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "-7" "helm.sh/hook-delete-policy": before-hook-creation subjects: - kind: ServiceAccount name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ .Release.Name }}-db-secret-reader {{- end }}