Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 3050f3cc2f7f190990a52a65c1eb614c3ad0cd43 / . / charts / cert-manager-webhook-gandi / templates / rbac.yaml
blob: 16cc1498e8ba57274ae2d5c866893cccfceb8eec [file] [log] [blame]
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
labels:
app: {{ include "cert-manager-webhook-gandi.name" . }}
chart: {{ include "cert-manager-webhook-gandi.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate
# This ConfigMap is automatically created by the Kubernetes apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:webhook-authentication-reader
namespace: kube-system
labels:
app: {{ include "cert-manager-webhook-gandi.name" . }}
chart: {{ include "cert-manager-webhook-gandi.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-gandi.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:auth-delegator
labels:
app: {{ include "cert-manager-webhook-gandi.name" . }}
chart: {{ include "cert-manager-webhook-gandi.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-gandi.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote}}
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:domain-solver
labels:
app: {{ include "cert-manager-webhook-gandi.name" . }}
chart: {{ include "cert-manager-webhook-gandi.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- {{ .Values.groupName }}
resources:
- "*"
verbs:
- "create"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:domain-solver
labels:
app: {{ include "cert-manager-webhook-gandi.name" . }}
chart: {{ include "cert-manager-webhook-gandi.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace | quote }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:secret-reader
namespace: {{ .Values.certManager.namespace | quote }}
rules:
- apiGroups:
- ""
resources:
- "secrets"
resourceNames:
- "gandi-credentials"
verbs:
- "get"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:secret-reader
namespace: {{ .Values.certManager.namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-gandi.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
{{- if .Values.features.apiPriorityAndFairness }}
---
# Grant cert-manager-webhook-gandi permission to read the flow control mechanism (APF)
# API Priority and Fairness is enabled by default in Kubernetes 1.20
# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-gandi.name" . }}
chart: {{ include "cert-manager-webhook-gandi.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- "prioritylevelconfigurations"
- "flowschemas"
verbs:
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-gandi.name" . }}
chart: {{ include "cert-manager-webhook-gandi.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-webhook-gandi.fullname" . }}:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-gandi.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
{{- end }}