---
# Role for RAG Service
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: provisioning-rag
  namespace: provisioning-rag
  labels:
    app: provisioning-rag
    component: rbac
rules:
  # Read ConfigMaps
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  # Read Secrets
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]
  # Read Pods for leader election
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  # Read PersistentVolumeClaims
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list"]
  # Create events for logging
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]

---
# RoleBinding for RAG Service
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: provisioning-rag
  namespace: provisioning-rag
  labels:
    app: provisioning-rag
    component: rbac
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: provisioning-rag
subjects:
  - kind: ServiceAccount
    name: provisioning-rag
    namespace: provisioning-rag

---
# ClusterRole for RAG Service (if cross-namespace access needed)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: provisioning-rag
  labels:
    app: provisioning-rag
    component: rbac
rules:
  # Read nodes for topology awareness
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  # Read namespaces
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch"]

---
# ClusterRoleBinding for RAG Service
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: provisioning-rag
  labels:
    app: provisioning-rag
    component: rbac
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: provisioning-rag
subjects:
  - kind: ServiceAccount
    name: provisioning-rag
    namespace: provisioning-rag