apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "dnsimple-webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "dnsimple-webhook.name" . }} chart: {{ include "dnsimple-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- # Grant the webhook permission to read the api-token Secret in the specified namespace. kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: {{ .Release.Namespace | quote }} name: {{ include "dnsimple-webhook.fullname" . }}:access-secret rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "dnsimple-webhook.fullname" . }}:access-secret namespace: {{ .Release.Namespace | quote }} subjects: - kind: ServiceAccount name: {{ include "dnsimple-webhook.fullname" . }} namespace: {{ .Release.Namespace | quote }} roleRef: kind: Role name: {{ include "dnsimple-webhook.fullname" . }}:access-secret apiGroup: rbac.authorization.k8s.io --- # Grant the webhook permission to read the ConfigMap containing the Kubernetes # apiserver's requestheader-ca-certificate. # This ConfigMap is automatically created by the Kubernetes apiserver. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader namespace: kube-system labels: app: {{ include "dnsimple-webhook.name" . }} chart: {{ include "dnsimple-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - apiGroup: "" kind: ServiceAccount name: {{ include "dnsimple-webhook.fullname" . }} namespace: {{ .Release.Namespace }} --- # apiserver gets the auth-delegator role to delegate auth decisions to # the core apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator labels: app: {{ include "dnsimple-webhook.name" . }} chart: {{ include "dnsimple-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - apiGroup: "" kind: ServiceAccount name: {{ include "dnsimple-webhook.fullname" . }} namespace: {{ .Release.Namespace }} --- # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver labels: app: {{ include "dnsimple-webhook.name" . }} chart: {{ include "dnsimple-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: - apiGroups: - {{ .Values.groupName }} resources: - '*' verbs: - 'create' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver labels: app: {{ include "dnsimple-webhook.name" . }} chart: {{ include "dnsimple-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver subjects: - apiGroup: "" kind: ServiceAccount name: {{ .Values.certManager.serviceAccountName }} namespace: {{ .Values.certManager.namespace }}