From f1c8cea0528567c3bdab59716008c71e0ee71f12 Mon Sep 17 00:00:00 2001
From: ansible <ansible@n0ball.tw>
Date: Tue, 10 Mar 2026 19:40:59 +0800
Subject: [PATCH] Update k8s manifests

---
 k8s/infrastructure/coredns-ci-rbac.yaml | 43 +++++++++++++++++++++++++
 k8s/infrastructure/kustomization.yaml   |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 k8s/infrastructure/coredns-ci-rbac.yaml

diff --git a/k8s/infrastructure/coredns-ci-rbac.yaml b/k8s/infrastructure/coredns-ci-rbac.yaml
new file mode 100644
index 0000000..02c00c2
--- /dev/null
+++ b/k8s/infrastructure/coredns-ci-rbac.yaml
@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coredns-ci
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: coredns-configmap-editor
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["coredns-custom"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["coredns"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: coredns-ci-binding
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: coredns-configmap-editor
+subjects:
+  - kind: ServiceAccount
+    name: coredns-ci
+    namespace: kube-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: coredns-ci-token
+  namespace: kube-system
+  annotations:
+    kubernetes.io/service-account.name: coredns-ci
+type: kubernetes.io/service-account-token
diff --git a/k8s/infrastructure/kustomization.yaml b/k8s/infrastructure/kustomization.yaml
index 05fb1c9..caf78b3 100644
--- a/k8s/infrastructure/kustomization.yaml
+++ b/k8s/infrastructure/kustomization.yaml
@@ -11,3 +11,4 @@ resources:
   - keycloak/helmrelease.yaml
   - oidc-rbac.yaml
   - coredns-custom.yaml
+  - coredns-ci-rbac.yaml