# ==========================================
# FRONTEND RBAC
# ==========================================
apiVersion: v1
kind: ServiceAccount
metadata:
  name: frontend-sa-syifa
  namespace: intern-workspace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: frontend-role-syifa
  namespace: intern-workspace
rules:
  # Frontend boleh baca Service (buat resolve endpoint backend)
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: frontend-rolebinding-syifa
  namespace: intern-workspace
subjects:
  - kind: ServiceAccount
    name: frontend-sa-syifa
    namespace: intern-workspace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: frontend-role-syifa

# ==========================================
# BACKEND RBAC
# ==========================================
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: backend-sa-syifa
  namespace: intern-workspace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: backend-role-syifa
  namespace: intern-workspace
rules:
  # Backend boleh baca ConfigMap dan Secret (buat env)
  - apiGroups: [""]
    resources: ["configmaps", "secrets"]
    verbs: ["get", "list"]
  # Backend juga boleh cek pod dan service (buat internal komunikasi)
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: backend-rolebinding-syifa
  namespace: intern-workspace
subjects:
  - kind: ServiceAccount
    name: backend-sa-syifa
    namespace: intern-workspace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: backend-role-syifa

# ==========================================
# MYSQL RBAC
# ==========================================
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mysql-sa-syifa
  namespace: intern-workspace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mysql-role-syifa
  namespace: intern-workspace
rules:
  - apiGroups: [""]
    resources: ["configmaps", "secrets"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: mysql-rolebinding-syifa
  namespace: intern-workspace
subjects:
  - kind: ServiceAccount
    name: mysql-sa-syifa
    namespace: intern-workspace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mysql-role-syifa