Blame - charts/cert-manager/templates/webhook-rbac.yaml - pcloud

blob: b075ffd460e3bfcaaaa86a4897996a5e8882782f [file] [log] [blame]

Giorgi Lekveishvili	d1234c1	2023-06-19 10:37:06 +0400	[diff] [blame]	1	{{- if .Values.global.rbac.create }}
				2	apiVersion: rbac.authorization.k8s.io/v1
				3	kind: Role
				4	metadata:
				5	name: {{ template "webhook.fullname" . }}:dynamic-serving
				6	namespace: {{ include "cert-manager.namespace" . }}
				7	labels:
				8	app: {{ include "webhook.name" . }}
				9	app.kubernetes.io/name: {{ include "webhook.name" . }}
				10	app.kubernetes.io/instance: {{ .Release.Name }}
				11	app.kubernetes.io/component: "webhook"
				12	{{- include "labels" . \| nindent 4 }}
				13	rules:
				14	- apiGroups: [""]
				15	resources: ["secrets"]
				16	resourceNames:
				17	- '{{ template "webhook.fullname" . }}-ca'
				18	verbs: ["get", "list", "watch", "update"]
				19	# It's not possible to grant CREATE permission on a single resourceName.
				20	- apiGroups: [""]
				21	resources: ["secrets"]
				22	verbs: ["create"]
				23	---
				24
				25	apiVersion: rbac.authorization.k8s.io/v1
				26	kind: RoleBinding
				27	metadata:
				28	name: {{ template "webhook.fullname" . }}:dynamic-serving
				29	namespace: {{ include "cert-manager.namespace" . }}
				30	labels:
				31	app: {{ include "webhook.name" . }}
				32	app.kubernetes.io/name: {{ include "webhook.name" . }}
				33	app.kubernetes.io/instance: {{ .Release.Name }}
				34	app.kubernetes.io/component: "webhook"
				35	{{- include "labels" . \| nindent 4 }}
				36	roleRef:
				37	apiGroup: rbac.authorization.k8s.io
				38	kind: Role
				39	name: {{ template "webhook.fullname" . }}:dynamic-serving
				40	subjects:
				41	- apiGroup: ""
				42	kind: ServiceAccount
				43	name: {{ template "webhook.serviceAccountName" . }}
				44	namespace: {{ include "cert-manager.namespace" . }}
				45
				46	---
				47
				48	apiVersion: rbac.authorization.k8s.io/v1
				49	kind: ClusterRole
				50	metadata:
				51	name: {{ template "webhook.fullname" . }}:subjectaccessreviews
				52	labels:
				53	app: {{ include "webhook.name" . }}
				54	app.kubernetes.io/name: {{ include "webhook.name" . }}
				55	app.kubernetes.io/instance: {{ .Release.Name }}
				56	app.kubernetes.io/component: "webhook"
				57	{{- include "labels" . \| nindent 4 }}
				58	rules:
				59	- apiGroups: ["authorization.k8s.io"]
				60	resources: ["subjectaccessreviews"]
				61	verbs: ["create"]
				62	---
				63
				64	apiVersion: rbac.authorization.k8s.io/v1
				65	kind: ClusterRoleBinding
				66	metadata:
				67	name: {{ template "webhook.fullname" . }}:subjectaccessreviews
				68	labels:
				69	app: {{ include "webhook.name" . }}
				70	app.kubernetes.io/name: {{ include "webhook.name" . }}
				71	app.kubernetes.io/instance: {{ .Release.Name }}
				72	app.kubernetes.io/component: "webhook"
				73	{{- include "labels" . \| nindent 4 }}
				74	roleRef:
				75	apiGroup: rbac.authorization.k8s.io
				76	kind: ClusterRole
				77	name: {{ template "webhook.fullname" . }}:subjectaccessreviews
				78	subjects:
				79	- apiGroup: ""
				80	kind: ServiceAccount
				81	name: {{ template "webhook.serviceAccountName" . }}
				82	namespace: {{ include "cert-manager.namespace" . }}
				83	{{- end }}