cert-manager dns-challenge-solver
diff --git a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
new file mode 100644
index 0000000..c3d8405
--- /dev/null
+++ b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
@@ -0,0 +1,165 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+---
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate
+# This ConfigMap is automatically created by the Kubernetes apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:webhook-authentication-reader
+ namespace: kube-system
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+---
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:auth-delegator
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote}}
+---
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - {{ .Values.groupName }}
+ resources:
+ - "*"
+ verbs:
+ - "create"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ .Values.certManager.serviceAccountName }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
+ namespace: {{ .Values.certManager.namespace | quote }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - "secrets"
+ resourceNames:
+ - "pcloud-credentials"
+ verbs:
+ - "get"
+ - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
+ namespace: {{ .Values.certManager.namespace | quote }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+{{- if .Values.features.apiPriorityAndFairness }}
+---
+# Grant cert-manager-webhook-pcloud permission to read the flow control mechanism (APF)
+# API Priority and Fairness is enabled by default in Kubernetes 1.20
+# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+ - apiGroups:
+ - "flowcontrol.apiserver.k8s.io"
+ resources:
+ - "prioritylevelconfigurations"
+ - "flowschemas"
+ verbs:
+ - "list"
+ - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
+ labels:
+ app: {{ include "cert-manager-webhook-pcloud.name" . }}
+ chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
+{{- end }}
\ No newline at end of file