From a431a8b33311d3dd710f84c4ba12c0ef5f7451b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Mon, 30 Mar 2026 17:54:24 +0200
Subject: [PATCH] fix(kueue): Add rbac for sorcerer

---
 .../manifests/sorcerer-queue-access.yaml      | 20 +++++++++----------
 .../beta-ekman/deployment_patch.yaml          |  5 +++++
 .../kustomize/beta-ekman/kueue-config.yaml    |  7 +++++++
 .../kustomize/beta-ekman/kustomization.yaml   |  1 +
 .../sorcerer/kustomize/beta-ekman/rbac.yaml   | 19 ++++++++++++++++++
 .../prod-ekman/deployment_patch.yaml          |  5 +++++
 .../kustomize/prod-ekman/kueue-config.yaml    |  7 +++++++
 .../kustomize/prod-ekman/kustomization.yaml   |  1 +
 .../sorcerer/kustomize/prod-ekman/rbac.yaml   | 19 ++++++++++++++++++
 .../staging-ekman/deployment_patch.yaml       |  5 +++++
 .../kustomize/staging-ekman/kueue-config.yaml |  7 +++++++
 .../staging-ekman/kustomization.yaml          |  1 +
 .../kustomize/staging-ekman/rbac.yaml         | 19 ++++++++++++++++++
 13 files changed, 106 insertions(+), 10 deletions(-)
 create mode 100644 values/sorcerer/kustomize/beta-ekman/kueue-config.yaml
 create mode 100644 values/sorcerer/kustomize/prod-ekman/kueue-config.yaml
 create mode 100644 values/sorcerer/kustomize/staging-ekman/kueue-config.yaml

diff --git a/values/kueue/manifests/sorcerer-queue-access.yaml b/values/kueue/manifests/sorcerer-queue-access.yaml
index 1c7ee354..6eae549b 100644
--- a/values/kueue/manifests/sorcerer-queue-access.yaml
+++ b/values/kueue/manifests/sorcerer-queue-access.yaml
@@ -2,8 +2,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: beta-sorcerer-dev-queue
-  namespace: dev-queue
+  name: beta-sorcerer-prod-queue
+  namespace: prod-queue
 rules:
 - apiGroups:
   - jobset.x-k8s.io
@@ -27,12 +27,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: beta-sorcerer-dev-queue
-  namespace: dev-queue
+  name: beta-sorcerer-prod-queue
+  namespace: prod-queue
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: beta-sorcerer-dev-queue
+  name: beta-sorcerer-prod-queue
 subjects:
 - kind: ServiceAccount
   name: beta-sorcerer
@@ -41,8 +41,8 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: prod-sorcerer-dev-queue
-  namespace: dev-queue
+  name: prod-sorcerer-prod-queue
+  namespace: prod-queue
 rules:
 - apiGroups:
   - jobset.x-k8s.io
@@ -66,12 +66,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: prod-sorcerer-dev-queue
-  namespace: dev-queue
+  name: prod-sorcerer-prod-queue
+  namespace: prod-queue
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: prod-sorcerer-dev-queue
+  name: prod-sorcerer-prod-queue
 subjects:
 - kind: ServiceAccount
   name: prod-sorcerer
diff --git a/values/sorcerer/kustomize/beta-ekman/deployment_patch.yaml b/values/sorcerer/kustomize/beta-ekman/deployment_patch.yaml
index c2860a1d..2ad66000 100644
--- a/values/sorcerer/kustomize/beta-ekman/deployment_patch.yaml
+++ b/values/sorcerer/kustomize/beta-ekman/deployment_patch.yaml
@@ -11,4 +11,9 @@
   value:
     secretRef:
       name: prod-sorcerer-env
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    configMapRef:
+      name: beta-sorcerer-kueue-config
 
diff --git a/values/sorcerer/kustomize/beta-ekman/kueue-config.yaml b/values/sorcerer/kustomize/beta-ekman/kueue-config.yaml
new file mode 100644
index 00000000..11a7c491
--- /dev/null
+++ b/values/sorcerer/kustomize/beta-ekman/kueue-config.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: beta-sorcerer-kueue-config
+data:
+  KUEUE_NAMESPACE: "prod-queue"
+  KUEUE_ARCHIVE_PVC: "prod-queue-ceph-archives"
diff --git a/values/sorcerer/kustomize/beta-ekman/kustomization.yaml b/values/sorcerer/kustomize/beta-ekman/kustomization.yaml
index 054f2b14..89cc6ec3 100644
--- a/values/sorcerer/kustomize/beta-ekman/kustomization.yaml
+++ b/values/sorcerer/kustomize/beta-ekman/kustomization.yaml
@@ -18,6 +18,7 @@ resources:
 - configurations.yaml
 - keyvault.yaml
 - rbac.yaml
+- kueue-config.yaml
 - secretstore.yaml
 - statestore.yaml
 - tracing.yaml
\ No newline at end of file
diff --git a/values/sorcerer/kustomize/beta-ekman/rbac.yaml b/values/sorcerer/kustomize/beta-ekman/rbac.yaml
index 188ce09a..7337cf59 100644
--- a/values/sorcerer/kustomize/beta-ekman/rbac.yaml
+++ b/values/sorcerer/kustomize/beta-ekman/rbac.yaml
@@ -8,6 +8,7 @@ rules:
   - ""
   resourceNames:
   - beta-sorcerer-appsettings
+  - beta-sorcerer-kueue-config
   resources:
   - configmaps
   verbs:
@@ -23,6 +24,24 @@ rules:
   verbs:
   - get
   - watch
+- apiGroups:
+  - jobset.x-k8s.io
+  resources:
+  - jobsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/values/sorcerer/kustomize/prod-ekman/deployment_patch.yaml b/values/sorcerer/kustomize/prod-ekman/deployment_patch.yaml
index c2860a1d..838ba4c9 100644
--- a/values/sorcerer/kustomize/prod-ekman/deployment_patch.yaml
+++ b/values/sorcerer/kustomize/prod-ekman/deployment_patch.yaml
@@ -11,4 +11,9 @@
   value:
     secretRef:
       name: prod-sorcerer-env
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    configMapRef:
+      name: prod-sorcerer-kueue-config
 
diff --git a/values/sorcerer/kustomize/prod-ekman/kueue-config.yaml b/values/sorcerer/kustomize/prod-ekman/kueue-config.yaml
new file mode 100644
index 00000000..e100631f
--- /dev/null
+++ b/values/sorcerer/kustomize/prod-ekman/kueue-config.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: prod-sorcerer-kueue-config
+data:
+  KUEUE_NAMESPACE: "prod-queue"
+  KUEUE_ARCHIVE_PVC: "prod-queue-ceph-archives"
diff --git a/values/sorcerer/kustomize/prod-ekman/kustomization.yaml b/values/sorcerer/kustomize/prod-ekman/kustomization.yaml
index 1bb40a9a..b7f0116d 100644
--- a/values/sorcerer/kustomize/prod-ekman/kustomization.yaml
+++ b/values/sorcerer/kustomize/prod-ekman/kustomization.yaml
@@ -18,6 +18,7 @@ resources:
 - configurations.yaml
 - keyvault.yaml
 - rbac.yaml
+- kueue-config.yaml
 - secretstore.yaml
 - statestore.yaml
 - tracing.yaml
\ No newline at end of file
diff --git a/values/sorcerer/kustomize/prod-ekman/rbac.yaml b/values/sorcerer/kustomize/prod-ekman/rbac.yaml
index 62bc060f..ffb21605 100644
--- a/values/sorcerer/kustomize/prod-ekman/rbac.yaml
+++ b/values/sorcerer/kustomize/prod-ekman/rbac.yaml
@@ -8,6 +8,7 @@ rules:
   - ""
   resourceNames:
   - prod-sorcerer-appsettings
+  - prod-sorcerer-kueue-config
   resources:
   - configmaps
   verbs:
@@ -23,6 +24,24 @@ rules:
   verbs:
   - get
   - watch
+- apiGroups:
+  - jobset.x-k8s.io
+  resources:
+  - jobsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/values/sorcerer/kustomize/staging-ekman/deployment_patch.yaml b/values/sorcerer/kustomize/staging-ekman/deployment_patch.yaml
index d9652177..d2c424d2 100644
--- a/values/sorcerer/kustomize/staging-ekman/deployment_patch.yaml
+++ b/values/sorcerer/kustomize/staging-ekman/deployment_patch.yaml
@@ -11,4 +11,9 @@
   value:
     secretRef:
       name: staging-sorcerer-env
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    configMapRef:
+      name: staging-sorcerer-kueue-config
 
diff --git a/values/sorcerer/kustomize/staging-ekman/kueue-config.yaml b/values/sorcerer/kustomize/staging-ekman/kueue-config.yaml
new file mode 100644
index 00000000..95a54e4f
--- /dev/null
+++ b/values/sorcerer/kustomize/staging-ekman/kueue-config.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: staging-sorcerer-kueue-config
+data:
+  KUEUE_NAMESPACE: "dev-queue"
+  KUEUE_ARCHIVE_PVC: "dev-queue-ceph-archives"
diff --git a/values/sorcerer/kustomize/staging-ekman/kustomization.yaml b/values/sorcerer/kustomize/staging-ekman/kustomization.yaml
index 7a95bfe1..e9f23010 100644
--- a/values/sorcerer/kustomize/staging-ekman/kustomization.yaml
+++ b/values/sorcerer/kustomize/staging-ekman/kustomization.yaml
@@ -18,6 +18,7 @@ resources:
 - configurations.yaml
 - keyvault.yaml
 - rbac.yaml
+- kueue-config.yaml
 - secretstore.yaml
 - statestore.yaml
 - tracing.yaml
diff --git a/values/sorcerer/kustomize/staging-ekman/rbac.yaml b/values/sorcerer/kustomize/staging-ekman/rbac.yaml
index 1392b9af..a9178a5a 100644
--- a/values/sorcerer/kustomize/staging-ekman/rbac.yaml
+++ b/values/sorcerer/kustomize/staging-ekman/rbac.yaml
@@ -8,6 +8,7 @@ rules:
   - ""
   resourceNames:
   - staging-sorcerer-appsettings
+  - staging-sorcerer-kueue-config
   resources:
   - configmaps
   verbs:
@@ -23,6 +24,24 @@ rules:
   verbs:
   - get
   - watch
+- apiGroups:
+  - jobset.x-k8s.io
+  resources:
+  - jobsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding