| Tadas Sutkaitis | 8d03724 | 2024-02-08 02:48:21 +0200 | [diff] [blame] | 1 | apiVersion: v1 |
| 2 | kind: ServiceAccount |
| 3 | metadata: |
| 4 | name: {{ include "godaddy-webhook.fullname" . }} |
| 5 | labels: |
| 6 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 7 | --- |
| 8 | # Grant the webhook permission to read the ConfigMap containing the Kubernetes |
| 9 | # apiserver's requestheader-ca-certificate. |
| 10 | # This ConfigMap is automatically created by the Kubernetes apiserver. |
| 11 | apiVersion: rbac.authorization.k8s.io/v1 |
| 12 | kind: RoleBinding |
| 13 | metadata: |
| 14 | name: {{ include "godaddy-webhook.fullname" . }}:webhook-authentication-reader |
| 15 | namespace: kube-system |
| 16 | labels: |
| 17 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 18 | roleRef: |
| 19 | apiGroup: rbac.authorization.k8s.io |
| 20 | kind: Role |
| 21 | name: extension-apiserver-authentication-reader |
| 22 | subjects: |
| 23 | - apiGroup: "" |
| 24 | kind: ServiceAccount |
| 25 | name: {{ include "godaddy-webhook.fullname" . }} |
| 26 | namespace: {{ .Release.Namespace }} |
| 27 | --- |
| 28 | # apiserver gets the auth-delegator role to delegate auth decisions to |
| 29 | # the core apiserver |
| 30 | apiVersion: rbac.authorization.k8s.io/v1 |
| 31 | kind: ClusterRoleBinding |
| 32 | metadata: |
| 33 | name: {{ include "godaddy-webhook.fullname" . }}:auth-delegator |
| 34 | labels: |
| 35 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 36 | roleRef: |
| 37 | apiGroup: rbac.authorization.k8s.io |
| 38 | kind: ClusterRole |
| 39 | name: system:auth-delegator |
| 40 | subjects: |
| 41 | - apiGroup: "" |
| 42 | kind: ServiceAccount |
| 43 | name: {{ include "godaddy-webhook.fullname" . }} |
| 44 | namespace: {{ .Release.Namespace }} |
| 45 | --- |
| 46 | # Grant cert-manager permission to validate using our apiserver |
| 47 | apiVersion: rbac.authorization.k8s.io/v1 |
| 48 | kind: ClusterRole |
| 49 | metadata: |
| 50 | name: {{ include "godaddy-webhook.fullname" . }}:domain-solver |
| 51 | labels: |
| 52 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 53 | rules: |
| 54 | - apiGroups: |
| 55 | - {{ .Values.groupName }} |
| 56 | resources: |
| 57 | - '*' |
| 58 | verbs: |
| 59 | - 'create' |
| 60 | --- |
| 61 | apiVersion: rbac.authorization.k8s.io/v1 |
| 62 | kind: ClusterRoleBinding |
| 63 | metadata: |
| 64 | name: {{ include "godaddy-webhook.fullname" . }}:domain-solver |
| 65 | labels: |
| 66 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 67 | roleRef: |
| 68 | apiGroup: rbac.authorization.k8s.io |
| 69 | kind: ClusterRole |
| 70 | name: {{ include "godaddy-webhook.fullname" . }}:domain-solver |
| 71 | subjects: |
| 72 | - apiGroup: "" |
| 73 | kind: ServiceAccount |
| 74 | name: {{ .Values.certManager.serviceAccountName }} |
| 75 | namespace: {{ .Values.certManager.namespace }} |
| 76 | --- |
| 77 | apiVersion: rbac.authorization.k8s.io/v1 |
| 78 | kind: ClusterRoleBinding |
| 79 | metadata: |
| 80 | name: {{ include "godaddy-webhook.fullname" . }} |
| 81 | labels: |
| 82 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 83 | roleRef: |
| 84 | apiGroup: rbac.authorization.k8s.io |
| 85 | kind: ClusterRole |
| 86 | name: {{ include "godaddy-webhook.fullname" . }} |
| 87 | subjects: |
| 88 | - apiGroup: "" |
| 89 | kind: ServiceAccount |
| 90 | name: {{ include "godaddy-webhook.fullname" . }} |
| 91 | namespace: {{ .Release.Namespace }} |
| 92 | --- |
| 93 | apiVersion: rbac.authorization.k8s.io/v1 |
| 94 | kind: ClusterRole |
| 95 | metadata: |
| 96 | name: {{ include "godaddy-webhook.fullname" . }} |
| 97 | labels: |
| 98 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 99 | rules: |
| 100 | - apiGroups: |
| 101 | - '' |
| 102 | resources: |
| 103 | - 'secrets' |
| 104 | verbs: |
| 105 | - 'get' |
| 106 | --- |
| 107 | # Grant cert-manager-webhook-gandi permission to read the flow control mechanism (APF) |
| 108 | # API Priority and Fairness is enabled by default in Kubernetes 1.20 |
| 109 | # https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ |
| 110 | apiVersion: rbac.authorization.k8s.io/v1 |
| 111 | kind: ClusterRole |
| 112 | metadata: |
| 113 | name: {{ include "godaddy-webhook.fullname" . }}:flowcontrol-solver |
| 114 | labels: |
| 115 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 116 | rules: |
| 117 | - apiGroups: |
| 118 | - "flowcontrol.apiserver.k8s.io" |
| 119 | resources: |
| 120 | - "prioritylevelconfigurations" |
| 121 | - "flowschemas" |
| 122 | verbs: |
| 123 | - "list" |
| 124 | - "watch" |
| 125 | --- |
| 126 | apiVersion: rbac.authorization.k8s.io/v1 |
| 127 | kind: ClusterRoleBinding |
| 128 | metadata: |
| 129 | name: {{ include "godaddy-webhook.fullname" . }}:flowcontrol-solver |
| 130 | labels: |
| 131 | {{ include "godaddy-webhook.labels" . | indent 4 }} |
| 132 | roleRef: |
| 133 | apiGroup: rbac.authorization.k8s.io |
| 134 | kind: ClusterRole |
| 135 | name: {{ include "godaddy-webhook.fullname" . }}:flowcontrol-solver |
| 136 | subjects: |
| 137 | - apiGroup: "" |
| 138 | kind: ServiceAccount |
| 139 | name: {{ include "godaddy-webhook.fullname" . }} |
| 140 | namespace: {{ .Release.Namespace }} |