nscaledev · spjmurray · May 15, 2025
diff --git a/README.md b/README.md
@@ -81,17 +81,3 @@ spec:
 ```
 
 </details>
-
-### Configuring Service Authentication and Authorization
-
-The [Unikorn Identity Service](https://github.com/unikorn-cloud/identity) describes how to configure a service organization, groups and role mappings for services that require them.
-
-This service requires asynchronous access to the Unikorn Region API in order to poll cloud identity and physical network status during cluster creation, and delete those resources on cluster deletion.
-
-This service defines the `unikorn-compute` user that will need to be added to a group in the service organization.
-It will need the built in role `infra-manager-service` that allows:
-
-* Read access to the `region` endpoints to access external networks
-* Read/delete access to the `identites` endpoints to poll and delete cloud identities
-* Read/delete access to the `physicalnetworks` endpoints to poll and delete physical networks
-* Create/Read/Delete access to the `servers` endpoints to manage compute instances
diff --git a/charts/compute/templates/certificate.yaml b/charts/compute/templates/certificate.yaml
diff --git a/charts/compute/templates/rbac.yaml b/charts/compute/templates/rbac.yaml
@@ -0,0 +1,67 @@
+{{- $systemAccountName := "unikorn-compute" -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-client
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: unikorn-client-issuer
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 4096
+  secretName: {{ include "unikorn.mtls.certificate-name" . }}
+  commonName: {{ $systemAccountName }}
+---
+apiVersion: identity.unikorn-cloud.org/v1alpha1
+kind: Role
+metadata:
+  name: {{ include "resource.id" $systemAccountName }}
+  labels:
+    {{- include "unikorn.labels" $ | nindent 4 }}
+    unikorn-cloud.org/name: {{ $systemAccountName }}
+  annotations:
+    unikorn-cloud.org/description: Unikorn Kubernetes service.
+spec:
+  protected: true
+  scopes:
+    global:
+    # For quota management.
+    - name: "identity:allocations"
+      operations: [create,read,update,delete]
+    # To create a cloud identity to provision hardware.
+    - name: "region:identities"
+      operations: [create,read,delete]
+    # To present compatible regions.
+    - name: "region:regions"
+      operations: [read]
+    # To present compatible flavors.
+    - name: "region:flavors"
+      operations: [read]
+    # To present compatible images.
+    - name: "region:images"
+      operations: [read]
+    # To create VLAN provider networks for baremetal clusters.
+    - name: "region:networks"
+      operations: [create,read,delete]
+    # To create servers.
+    - name: "region:servers"
+      operations: [create,read,update,delete]
+    # To create securtiy groups.
+    - name: "region:securitygroups"
+      operations: [create,read,update,delete]
+---
+apiVersion: identity.unikorn-cloud.org/v1alpha1
+kind: SystemAccount
+metadata:
+  name: {{ $systemAccountName }}
+  labels:
+    {{- include "unikorn.labels" $ | nindent 4 }}
+spec:
+  role:
+    name: {{ include "resource.id" $systemAccountName }}