comms: fix mas db ensure rbac

services/comms/mas-db-ensure-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-db-ensure-2
+  name: mas-db-ensure-3
   namespace: comms
 spec:
   backoffLimit: 2

services/comms/mas-db-ensure-rbac.yaml

@@ -6,51 +6,24 @@ metadata:
   namespace: comms
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
-  name: mas-db-ensure-postgres
-  namespace: postgres
+  name: mas-db-ensure
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
-    resourceNames: ["postgres-auth"]
-    verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: mas-db-ensure-postgres
-  namespace: postgres
-subjects:
-  - kind: ServiceAccount
-    name: mas-db-ensure
-    namespace: comms
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mas-db-ensure-postgres
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: mas-db-ensure-comms
-  namespace: comms
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["mas-db"]
+    resourceNames: ["postgres-auth", "mas-db"]
     verbs: ["get", "create", "patch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
-  name: mas-db-ensure-comms
-  namespace: comms
+  name: mas-db-ensure
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mas-db-ensure
 subjects:
   - kind: ServiceAccount
     name: mas-db-ensure
     namespace: comms
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mas-db-ensure-comms