From 0a76cfe680d9895603083679dab7362b72bf665d Mon Sep 17 00:00:00 2001 From: bussyjd Date: Sun, 24 May 2026 16:20:21 +0400 Subject: [PATCH] fix(rbac): grant frontend read access to PurchaseRequest + RegistrationRequest Without these rules, the frontend ServiceAccount got 403 from the Kubernetes API when /api/marketplace/purchases tried to list PurchaseRequests cluster-wide, surfacing as 'Failed to list PurchaseRequests' on the My Purchases page and an empty rows count even when the agent had signed authorizations. Adds read-only (get/list/watch) on: - purchaserequests + status (agent owns writes via x402 skill) - registrationrequests + status (controller owns writes) Stacked on feat/marketplace-bundle (#536) where this template lives. --- .../infrastructure/base/templates/obol-frontend.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/internal/embed/infrastructure/base/templates/obol-frontend.yaml b/internal/embed/infrastructure/base/templates/obol-frontend.yaml index 397a192..1c7f2b0 100644 --- a/internal/embed/infrastructure/base/templates/obol-frontend.yaml +++ b/internal/embed/infrastructure/base/templates/obol-frontend.yaml @@ -77,6 +77,18 @@ rules: - apiGroups: ["obol.org"] resources: ["serviceoffers", "serviceoffers/status"] verbs: ["get", "list", "create", "update", "patch", "delete"] + # PurchaseRequest CRD — /api/marketplace/purchases lists agent buys + # cluster-wide so the My Purchases page can show every signed auth + # paying to the connected wallet. Read-only: the agent owns writes. + - apiGroups: ["obol.org"] + resources: ["purchaserequests", "purchaserequests/status"] + verbs: ["get", "list", "watch"] + # RegistrationRequest CRD — surfaces ERC-8004 registration state on + # listing rows ("Registered" vs "Pending"). Read-only: the controller + # owns writes. + - apiGroups: ["obol.org"] + resources: ["registrationrequests", "registrationrequests/status"] + verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1