github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager-webhook-oci/templates/rbac.yaml (about) 1 # Portions of the code in this file are derived from https://github.com/cert-manager/webhook-example/blob/master/deploy/example-webhook/templates/rbac.yaml 2 # Portions of the code in this file are derived from https://gitlab.com/dn13/cert-manager-webhook-oci/-/blob/1.1.0/deploy/cert-manager-webhook-oci/templates/rbac.yaml 3 4 apiVersion: v1 5 kind: ServiceAccount 6 {{- if .Values.global.imagePullSecrets }} 7 imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} 8 {{- end }} 9 metadata: 10 name: {{ include "cert-manager-webhook-oci.fullname" . }} 11 labels: 12 app: {{ include "cert-manager-webhook-oci.name" . }} 13 chart: {{ include "cert-manager-webhook-oci.chart" . }} 14 release: {{ .Release.Name }} 15 heritage: {{ .Release.Service }} 16 --- 17 # Grant the webhook permission to read the ConfigMap containing the Kubernetes 18 # apiserver's requestheader-ca-certificate. 19 # This ConfigMap is automatically created by the Kubernetes apiserver. 20 apiVersion: rbac.authorization.k8s.io/v1 21 kind: RoleBinding 22 metadata: 23 name: {{ include "cert-manager-webhook-oci.fullname" . }}:webhook-authentication-reader 24 namespace: kube-system 25 labels: 26 app: {{ include "cert-manager-webhook-oci.name" . }} 27 chart: {{ include "cert-manager-webhook-oci.chart" . }} 28 release: {{ .Release.Name }} 29 heritage: {{ .Release.Service }} 30 roleRef: 31 apiGroup: rbac.authorization.k8s.io 32 kind: Role 33 name: extension-apiserver-authentication-reader 34 subjects: 35 - apiGroup: "" 36 kind: ServiceAccount 37 name: {{ include "cert-manager-webhook-oci.fullname" . }} 38 namespace: {{ .Release.Namespace }} 39 --- 40 # apiserver gets the auth-delegator role to delegate auth decisions to 41 # the core apiserver 42 apiVersion: rbac.authorization.k8s.io/v1 43 kind: ClusterRoleBinding 44 metadata: 45 name: {{ include "cert-manager-webhook-oci.fullname" . }}:auth-delegator 46 labels: 47 app: {{ include "cert-manager-webhook-oci.name" . }} 48 chart: {{ include "cert-manager-webhook-oci.chart" . }} 49 release: {{ .Release.Name }} 50 heritage: {{ .Release.Service }} 51 roleRef: 52 apiGroup: rbac.authorization.k8s.io 53 kind: ClusterRole 54 name: system:auth-delegator 55 subjects: 56 - apiGroup: "" 57 kind: ServiceAccount 58 name: {{ include "cert-manager-webhook-oci.fullname" . }} 59 namespace: {{ .Release.Namespace }} 60 --- 61 # Grant cert-manager permission to validate using our apiserver 62 apiVersion: rbac.authorization.k8s.io/v1 63 kind: ClusterRole 64 metadata: 65 name: {{ include "cert-manager-webhook-oci.fullname" . }}:domain-solver 66 labels: 67 app: {{ include "cert-manager-webhook-oci.name" . }} 68 chart: {{ include "cert-manager-webhook-oci.chart" . }} 69 release: {{ .Release.Name }} 70 heritage: {{ .Release.Service }} 71 rules: 72 - apiGroups: 73 - {{ .Values.groupName }} 74 resources: 75 - '*' 76 verbs: 77 - 'create' 78 --- 79 apiVersion: rbac.authorization.k8s.io/v1 80 kind: ClusterRoleBinding 81 metadata: 82 name: {{ include "cert-manager-webhook-oci.fullname" . }}:domain-solver 83 labels: 84 app: {{ include "cert-manager-webhook-oci.name" . }} 85 chart: {{ include "cert-manager-webhook-oci.chart" . }} 86 release: {{ .Release.Name }} 87 heritage: {{ .Release.Service }} 88 roleRef: 89 apiGroup: rbac.authorization.k8s.io 90 kind: ClusterRole 91 name: {{ include "cert-manager-webhook-oci.fullname" . }}:domain-solver 92 subjects: 93 - apiGroup: "" 94 kind: ServiceAccount 95 name: {{ .Values.certManager.serviceAccountName }} 96 namespace: {{ .Values.certManager.namespace }} 97 --- 98 apiVersion: rbac.authorization.k8s.io/v1 99 kind: Role 100 metadata: 101 name: {{ include "cert-manager-webhook-oci.fullname" . }}:secret-reader 102 namespace: {{ include "cert-manager-webhook-oci.clusterResourceNamespace" . }} 103 rules: 104 - apiGroups: 105 - "" 106 resources: 107 - "secrets" 108 {{- with .Values.ociAuthSecrets }} 109 resourceNames: 110 {{ toYaml . | indent 2 }} 111 {{- end }} 112 verbs: 113 - "get" 114 - "watch" 115 --- 116 apiVersion: rbac.authorization.k8s.io/v1 117 kind: RoleBinding 118 metadata: 119 name: {{ include "cert-manager-webhook-oci.fullname" . }}:secret-reader 120 namespace: {{ include "cert-manager-webhook-oci.clusterResourceNamespace" . }} 121 roleRef: 122 apiGroup: rbac.authorization.k8s.io 123 kind: Role 124 name: {{ include "cert-manager-webhook-oci.fullname" . }}:secret-reader 125 subjects: 126 - apiGroup: "" 127 kind: ServiceAccount 128 name: {{ include "cert-manager-webhook-oci.fullname" . }} 129 namespace: {{ .Release.Namespace }} 130 --- 131 apiVersion: rbac.authorization.k8s.io/v1 132 kind: ClusterRole 133 metadata: 134 name: {{ include "cert-manager-webhook-oci.fullname" . }}:flowcontrol 135 namespace: {{ .Release.Namespace }} 136 rules: 137 - apiGroups: 138 - flowcontrol.apiserver.k8s.io 139 resources: 140 - "*" 141 verbs: 142 - "get" 143 - "watch" 144 - "list" 145 --- 146 apiVersion: rbac.authorization.k8s.io/v1 147 kind: ClusterRoleBinding 148 metadata: 149 name: {{ include "cert-manager-webhook-oci.fullname" . }}:flowcontrol 150 namespace: {{ .Release.Namespace }} 151 roleRef: 152 apiGroup: rbac.authorization.k8s.io 153 kind: ClusterRole 154 name: {{ include "cert-manager-webhook-oci.fullname" . }}:flowcontrol 155 subjects: 156 - apiGroup: "" 157 kind: ServiceAccount 158 name: {{ include "cert-manager-webhook-oci.fullname" . }} 159 namespace: {{ .Release.Namespace }}