From c8fc1dd10a3fb0760b3c1e8ac867f6c14aad3f5e Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 8 Jan 2026 02:47:47 -0300
Subject: [PATCH] comms: fix mas db ensure rbac

---
 services/comms/mas-db-ensure-job.yaml  |  2 +-
 services/comms/mas-db-ensure-rbac.yaml | 45 ++++++--------------------
 2 files changed, 10 insertions(+), 37 deletions(-)

diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml
index f4b4653..9ac32c2 100644
--- a/services/comms/mas-db-ensure-job.yaml
+++ b/services/comms/mas-db-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-db-ensure-2
+  name: mas-db-ensure-3
   namespace: comms
 spec:
   backoffLimit: 2
diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml
index fe075d6..bbf5224 100644
--- a/services/comms/mas-db-ensure-rbac.yaml
+++ b/services/comms/mas-db-ensure-rbac.yaml
@@ -6,51 +6,24 @@ metadata:
   namespace: comms
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
-  name: mas-db-ensure-postgres
-  namespace: postgres
+  name: mas-db-ensure
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
-    resourceNames: ["postgres-auth"]
-    verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: mas-db-ensure-postgres
-  namespace: postgres
-subjects:
-  - kind: ServiceAccount
-    name: mas-db-ensure
-    namespace: comms
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mas-db-ensure-postgres
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: mas-db-ensure-comms
-  namespace: comms
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["mas-db"]
+    resourceNames: ["postgres-auth", "mas-db"]
     verbs: ["get", "create", "patch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
-  name: mas-db-ensure-comms
-  namespace: comms
+  name: mas-db-ensure
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mas-db-ensure
 subjects:
   - kind: ServiceAccount
     name: mas-db-ensure
     namespace: comms
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mas-db-ensure-comms