commit 5c2c0b9624d05a915fa317c2024989106d7e8670
author Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local> Thu Dec 07 17:35:40 2023 +0400
committer Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local> Thu Dec 07 20:31:20 2023 +0400
tree 896473347017fa36c6b22c15b04277b140ea0485
parent 91494a688c3f0287a9636659e3827fa2979501ea

bootstrapper: tie up all dns related services

charts/cert-manager-webhook-pcloud/templates/rbac.yaml

diff --git a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
index c3d8405..acd44c1 100644
--- a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
@@ -65,7 +65,7 @@
     heritage: {{ .Release.Service }}
 rules:
   - apiGroups:
-      - {{ .Values.groupName }}
+      - {{ .Values.apiGroupName }}
     resources:
       - "*"
     verbs:
@@ -120,6 +120,34 @@
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
     namespace: {{ .Values.certManager.namespace | quote }}
+---
+# TODO(gio): limit access by resourceNames
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "configmaps"
+    verbs:
+      - "get"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+    namespace: {{ .Values.certManager.namespace | quote }}
 {{- if .Values.features.apiPriorityAndFairness }}
 ---
 # Grant cert-manager-webhook-pcloud permission to read the flow control mechanism (APF)
@@ -162,4 +190,4 @@
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
     namespace: {{ .Values.certManager.namespace | quote }}
-{{- end }}
\ No newline at end of file
+{{- end }}