Declare RBAC requirements for secret reading

Use registry.SetRequirements to declare that distribution-module
needs get access on secrets. The operator creates the ClusterRole
automatically. registry_copy reads regcred secrets via K8s client.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tpoxa

cmd/main.go

@@ -11,6 +11,8 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"github.com/tiny-systems/module/cli"
+	"github.com/tiny-systems/module/module"
+	"github.com/tiny-systems/module/registry"
 
 	// Import components to register them
 	_ "github.com/tiny-systems/distribution-module/components/registrycatalog"
@@ -33,6 +35,19 @@ func main() {
 		zerolog.SetGlobalLevel(zerolog.DebugLevel)
 	}
 
+	// Declare RBAC requirements - registry_copy needs to read docker-registry secrets
+	registry.SetRequirements(module.Requirements{
+		RBAC: module.RBACRequirements{
+			ExtraRules: []module.RBACRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{"secrets"},
+					Verbs:     []string{"get"},
+				},
+			},
+		},
+	})
+
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop()