From 8099207353745cc4b8c772b64978df42e259de1d Mon Sep 17 00:00:00 2001 From: Codex Date: Fri, 5 Jun 2026 16:23:33 +0800 Subject: [PATCH] fix: grant provider profile secret rbac --- scripts/src/gitops-render.ts | 26 ++++++++++++++++++- .../cases/45-provider-profile-management.ts | 9 ++++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/scripts/src/gitops-render.ts b/scripts/src/gitops-render.ts index 7ec50cd..10b2c37 100644 --- a/scripts/src/gitops-render.ts +++ b/scripts/src/gitops-render.ts @@ -358,6 +358,30 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: agentrun-v01-mgr-runner-job-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: agentrun-v01-mgr-provider-secret-manager + namespace: ${namespace} +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek", "agentrun-v01-provider-minimax-m3"] + verbs: ["get", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: agentrun-v01-mgr-provider-secret-manager + namespace: ${namespace} +subjects: + - kind: ServiceAccount + name: agentrun-v01-mgr +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agentrun-v01-mgr-provider-secret-manager `; } @@ -376,7 +400,7 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek"] + resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek", "agentrun-v01-provider-minimax-m3"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/src/selftest/cases/45-provider-profile-management.ts b/src/selftest/cases/45-provider-profile-management.ts index c9fb167..f7f8338 100644 --- a/src/selftest/cases/45-provider-profile-management.ts +++ b/src/selftest/cases/45-provider-profile-management.ts @@ -10,6 +10,13 @@ import { assertNoSecretLeak, type SelfTestCase } from "../harness.js"; const secretText = "sk-selftest-provider-profile-secret"; const selfTest: SelfTestCase = async (context) => { + const gitopsRenderer = await readFile(path.join(context.root, "scripts/src/gitops-render.ts"), "utf8"); + assert.equal(gitopsRenderer.includes("agentrun-v01-mgr-provider-secret-manager"), true); + assert.equal(gitopsRenderer.includes('verbs: ["get", "patch", "update"]'), true); + for (const profile of ["codex", "deepseek", "minimax-m3"]) { + assert.equal(gitopsRenderer.includes(`agentrun-v01-provider-${profile}`), true); + } + const fakeKubectl = path.join(context.tmp, "fake-provider-kubectl.js"); const appliedManifestPath = path.join(context.tmp, "provider-secret-apply.json"); const createdJobPath = path.join(context.tmp, "provider-validation-job.json"); @@ -102,7 +109,7 @@ process.exit(1); assert.equal(finalValidation.status, "completed"); assert.equal(JSON.stringify(finalValidation).includes(secretText), false); assertNoSecretLeak(finalValidation); - return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-deepseek-moon-bridge", "provider-profile-validation-runner-job"] }; + return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-deepseek-moon-bridge", "provider-profile-manager-secret-rbac", "provider-profile-validation-runner-job"] }; } finally { await new Promise((resolve) => server.server.close(() => resolve())); }