# cert-manager Route53 IAM Role for IRSA
# RFC 0039: ADR-Compliant Foundation Infrastructure
#
# This ServiceAccount uses IRSA to allow cert-manager to manage
# Route53 DNS records for DNS-01 ACME challenges.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-route53
  namespace: cert-manager
  annotations:
    # Replace with actual IAM role ARN from Terraform
    eks.amazonaws.com/role-arn: "${CERT_MANAGER_ROUTE53_ROLE_ARN}"
  labels:
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/component: route53-solver
---
# ClusterRole for cert-manager to use the ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-route53
rules:
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-route53
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-route53
subjects:
  - kind: ServiceAccount
    name: cert-manager-route53
    namespace: cert-manager