From 4977f513c521664204028b8d4b5f5c8d9422dcab Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 10 Aug 2025 17:43:02 -0500
Subject: [PATCH] dch-webhooks: Add role for Jenkins to deploy

Jenkins needs to be able to patch the Deployment to trigger a restart
after it builds a new container image for _dch-webhooks_.

Note that this manifest must be applied on its own **without
Kustomize**.  Kustomize seems to think the `dch-webhooks` in
`resourceNames` refers to the ConfigMap it manages and "helpfully"
renames it with the name suffix hash.  It's _not_ the ConfigMap, though,
but there's not really any way to tell it this.
---
 dch-webhooks/jenkins.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 dch-webhooks/jenkins.yaml

diff --git a/dch-webhooks/jenkins.yaml b/dch-webhooks/jenkins.yaml
new file mode 100644
index 0000000..157263b
--- /dev/null
+++ b/dch-webhooks/jenkins.yaml
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins.dch-webhooks
+rules:
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    resourceNames:
+    - dch-webhooks
+    verbs:
+    - get
+    - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins.dch-webhooks
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins.dch-webhooks
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs