# This sets up a service account with the required permissions for running the Codex workflows. For now,
# this needs to be manually applied to the cluster running Argo before submitting any benchmarking workflows.

# The codex-benchmarks namespace needs to exist, as otherwise we can't create the RoleBinding in the proper namespace.
apiVersion: v1
kind: Namespace
metadata:
  name: codex-benchmarks
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: codex-benchmarks-workflows
  namespace: argo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: codex-workflows-runner
rules:
  - apiGroups: [ "" ]
    resources: [ "namespaces", "persistentvolumeclaims", "pods", "services", "secrets" ]
    verbs: [ "*" ]

  - apiGroups: [ "apps" ]
    resources: [ "deployments", "statefulsets" ]
    verbs: [ "*" ]

  - apiGroups: [ "batch" ]
    resources: [ "jobs" ]
    verbs: [ "*" ]
---
# This role already exists with the default Argo installer, but it might be missing, so we add it here as well.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: executor
  namespace: argo
rules:
  - apiGroups: [ "argoproj.io" ]
    resources: [ "workflowtaskresults" ]
    verbs: [ "create", "patch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: codex-workflows-runner
  namespace: codex-benchmarks
subjects:
  - kind: ServiceAccount
    name: codex-benchmarks-workflows
    namespace: argo
roleRef:
  kind: ClusterRole
  name: codex-workflows-runner
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: codex-workflows-runner-executor
  namespace: argo
subjects:
  - kind: ServiceAccount
    name: codex-benchmarks-workflows
    namespace: argo
roleRef:
  kind: Role
  name: executor
  apiGroup: rbac.authorization.k8s.io