---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-prod-queue-ceph-archives
spec:
  accessModes:
  - ReadWriteMany
  capacity:
    storage: 1Gi
  csi:
    driver: rook-ceph.cephfs.csi.ceph.com
    nodeStageSecretRef:
      name: rook-csi-cephfs-node
      namespace: rook-ceph
    volumeAttributes:
      clusterID: rook-ceph
      fsName: data
      rootPath: /
      staticVolume: "true"
    volumeHandle: pv-prod-queue-ceph-archives
  persistentVolumeReclaimPolicy: Retain
  volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: prod-queue-ceph-archives
  namespace: prod-queue
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: ""
  volumeMode: Filesystem
  volumeName: pv-prod-queue-ceph-archives
---
# Cross-namespace RBAC: allow sorcerer ServiceAccounts to manage JobSets in dev-queue
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: beta-sorcerer-prod-queue
  namespace: prod-queue
rules:
- apiGroups:
  - jobset.x-k8s.io
  resources:
  - jobsets
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: beta-sorcerer-prod-queue
  namespace: prod-queue
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: beta-sorcerer-prod-queue
subjects:
- kind: ServiceAccount
  name: beta-sorcerer
  namespace: beta-sorcerer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: prod-sorcerer-prod-queue
  namespace: prod-queue
rules:
- apiGroups:
  - jobset.x-k8s.io
  resources:
  - jobsets
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prod-sorcerer-prod-queue
  namespace: prod-queue
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: prod-sorcerer-prod-queue
subjects:
- kind: ServiceAccount
  name: prod-sorcerer
  namespace: prod-sorcerer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: staging-sorcerer-dev-queue
  namespace: dev-queue
rules:
- apiGroups:
  - jobset.x-k8s.io
  resources:
  - jobsets
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: staging-sorcerer-dev-queue
  namespace: dev-queue
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: staging-sorcerer-dev-queue
subjects:
- kind: ServiceAccount
  name: staging-sorcerer
  namespace: staging-sorcerer