apiVersion: v1
kind: Secret
metadata:
  name: jwt-secret
  namespace: juwan
type: Opaque
data:
  secret-key: MGUyMWE3ZDhjMTQ5ZDg1MWViOWU0MGM3OTE2NWVkYTBlOTE5ZWRkZDU1YjYzOGJjOWRiNzM0NTc4NDIyMjlkZQ==
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: user-rpc
  namespace: juwan
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: envoy-gateway
  namespace: juwan
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: jwt-secret-reader
  namespace: juwan
rules:
  # JWT Secret 读取权限
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["jwt-secret"]
    verbs: ["get"]
  # 服务发现权限 (go-zero 框架需要)
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-rpc-jwt-secret-reader
  namespace: juwan
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jwt-secret-reader
subjects:
  - kind: ServiceAccount
    name: user-rpc
    namespace: juwan
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: envoy-gateway-jwt-secret-reader
  namespace: juwan
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jwt-secret-reader
subjects:
  - kind: ServiceAccount
    name: envoy-gateway
    namespace: juwan