Installer: migrate internal services to *.p.{domain}
diff --git a/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
new file mode 100644
index 0000000..b3d1491
--- /dev/null
+++ b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-gandi-webhook-secret-reader
+ namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-gandi-webhook-secret-reader
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-gandi-webhook-secret-reader
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.certManager.gandiWebhookSecretReader }}
+ namespace: {{ .Values.certManager.namespace }}