From 4a39e654ab6f1c4478f0ab421aa6fd4afabaaffc Mon Sep 17 00:00:00 2001
From: Josh Gamache <joshua@button.is>
Date: Thu, 18 Jan 2024 01:15:52 -0700
Subject: [PATCH] chore: add service account template as required by terraform

---
 .../jobs/terraform-service-account.yaml       | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 chart/cas-cif/templates/jobs/terraform-service-account.yaml

diff --git a/chart/cas-cif/templates/jobs/terraform-service-account.yaml b/chart/cas-cif/templates/jobs/terraform-service-account.yaml
new file mode 100644
index 0000000000..663ab91770
--- /dev/null
+++ b/chart/cas-cif/templates/jobs/terraform-service-account.yaml
@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "terraform-secret-admin"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "terraform-kubernetes-service-account"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "terraform-kubernetes-service-account-secret-admin-binding"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: "terraform-secret-admin"
+subjects:
+- kind: ServiceAccount
+  name: "terraform-kubernetes-service-account"
+  namespace: {{ .Release.Namespace }}