mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-09-23 09:46:05 +00:00
bdd9dd922b
* Only deploy operators on GCP/Azure. * cert-manager is now deployed by default (GCP/Azure) * remove OLM
546 lines
19 KiB
YAML
546 lines
19 KiB
YAML
{{- if .Values.global.rbac.create }}
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
|
namespace: {{ .Values.global.leaderElection.namespace }}
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["coordination.k8s.io"]
|
|
resources: ["leases"]
|
|
resourceNames: ["cert-manager-controller"]
|
|
verbs: ["get", "update", "patch"]
|
|
- apiGroups: ["coordination.k8s.io"]
|
|
resources: ["leases"]
|
|
verbs: ["create"]
|
|
|
|
---
|
|
|
|
# grant cert-manager permission to manage the leaderelection configmap in the
|
|
# leader election namespace
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ include "cert-manager.fullname" . }}:leaderelection
|
|
namespace: {{ .Values.global.leaderElection.namespace }}
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ template "cert-manager.fullname" . }}:leaderelection
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
|
|
---
|
|
|
|
# Issuer controller role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["issuers", "issuers/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
|
|
---
|
|
|
|
# ClusterIssuer controller role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["clusterissuers", "clusterissuers/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["clusterissuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
|
|
---
|
|
|
|
# Certificates controller role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders"]
|
|
verbs: ["create", "delete", "get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
|
|
---
|
|
|
|
# Orders controller role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders", "orders/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders", "challenges"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["clusterissuers", "issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges"]
|
|
verbs: ["create", "delete"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["orders/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
|
|
---
|
|
|
|
# Challenges controller role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
# Use to update challenge resource status
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges", "challenges/status"]
|
|
verbs: ["update", "patch"]
|
|
# Used to watch challenge resources
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Used to watch challenges, issuer and clusterissuer resources
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["issuers", "clusterissuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Need to be able to retrieve ACME account private key to complete challenges
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Used to create events
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
# HTTP01 rules
|
|
- apiGroups: [""]
|
|
resources: ["pods", "services"]
|
|
verbs: ["get", "list", "watch", "create", "delete"]
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingresses"]
|
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
|
- apiGroups: [ "gateway.networking.k8s.io" ]
|
|
resources: [ "httproutes" ]
|
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
|
# We require the ability to specify a custom hostname when we are creating
|
|
# new ingress resources.
|
|
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
|
- apiGroups: ["route.openshift.io"]
|
|
resources: ["routes/custom-host"]
|
|
verbs: ["create"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges/finalizers"]
|
|
verbs: ["update"]
|
|
# DNS01 rules (duplicated above)
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
---
|
|
|
|
# ingress-shim controller role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests"]
|
|
verbs: ["create", "update", "delete"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingresses"]
|
|
verbs: ["get", "list", "watch"]
|
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|
# admission controller enabled:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingresses/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["gateway.networking.k8s.io"]
|
|
resources: ["gateways", "httproutes"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["gateway.networking.k8s.io"]
|
|
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-issuers
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-certificates
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-orders
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-challenges
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-view
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
{{- end }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "issuers"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges", "orders"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-edit
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "controller"
|
|
{{- include "labels" . | nindent 4 }}
|
|
{{- if .Values.global.rbac.aggregateClusterRoles }}
|
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
{{- end }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates", "certificaterequests", "issuers"]
|
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["certificates/status"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["acme.cert-manager.io"]
|
|
resources: ["challenges", "orders"]
|
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
|
|
|
---
|
|
|
|
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "cert-manager"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["cert-manager.io"]
|
|
resources: ["signers"]
|
|
verbs: ["approve"]
|
|
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "cert-manager"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
|
|
---
|
|
|
|
# Permission to:
|
|
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
|
|
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "cert-manager"
|
|
{{- include "labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources: ["certificatesigningrequests"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources: ["certificatesigningrequests/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources: ["signers"]
|
|
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
|
verbs: ["sign"]
|
|
- apiGroups: ["authorization.k8s.io"]
|
|
resources: ["subjectaccessreviews"]
|
|
verbs: ["create"]
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
|
labels:
|
|
app: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "cert-manager"
|
|
{{- include "labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
|
|
subjects:
|
|
- name: {{ template "cert-manager.serviceAccountName" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
kind: ServiceAccount
|
|
{{- end }}
|