diff --git a/scripts/src/gitops-render.ts b/scripts/src/gitops-render.ts index 131fe0f..ce96b75 100644 --- a/scripts/src/gitops-render.ts +++ b/scripts/src/gitops-render.ts @@ -365,10 +365,13 @@ metadata: name: agentrun-v01-mgr-provider-secret-manager namespace: ${namespace} rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek", "agentrun-v01-provider-minimax-m3", "agentrun-v01-provider-dsflash-go"] - verbs: ["create", "get", "patch", "update"] + verbs: ["get", "patch", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/src/selftest/cases/45-provider-profile-management.ts b/src/selftest/cases/45-provider-profile-management.ts index 33c0aee..36c89eb 100644 --- a/src/selftest/cases/45-provider-profile-management.ts +++ b/src/selftest/cases/45-provider-profile-management.ts @@ -12,7 +12,8 @@ const secretText = "sk-selftest-provider-profile-secret"; const selfTest: SelfTestCase = async (context) => { const gitopsRenderer = await readFile(path.join(context.root, "scripts/src/gitops-render.ts"), "utf8"); assert.equal(gitopsRenderer.includes("agentrun-v01-mgr-provider-secret-manager"), true); - assert.equal(gitopsRenderer.includes('verbs: ["create", "get", "patch", "update"]'), true); + assert.equal(gitopsRenderer.includes('verbs: ["create"]'), true); + assert.equal(gitopsRenderer.includes('verbs: ["get", "patch", "update"]'), true); assert.equal(gitopsRenderer.includes('resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek", "agentrun-v01-provider-minimax-m3", "agentrun-v01-provider-dsflash-go"]'), true); for (const profile of ["codex", "deepseek", "minimax-m3", "dsflash-go"]) { assert.equal(gitopsRenderer.includes(`agentrun-v01-provider-${profile}`), true);