gitops/apps/argocd-config/argocd-ha-patch-rbac.yaml

# RBAC für ArgoCD HA Patch Job
# WICHTIG: Job braucht Rechte zum Patchen von Deployments

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-ha-patch
  namespace: argocd
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "patch", "update"]  # list/watch für rollout status
  - apiGroups: ["apps"]
    resources: ["deployments/status"]
    verbs: ["get", "list", "watch"]  # list/watch für rollout status

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argocd-ha-patch
  namespace: argocd

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argocd-ha-patch
  namespace: argocd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-ha-patch
subjects:
  - kind: ServiceAccount
    name: argocd-ha-patch
    namespace: argocd