---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: webhook-dnsimple:domain-solver
  labels:
    app: cert-manager-webhook-dnsimple
rules:
  - apiGroups:
      - acme.hsn.dev
    resources:
      - "*"
    verbs:
      - "create"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flow-schema-reader
  labels:
    app: cert-manager-webhook-dnsimple
rules:
  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
    resources: ["flowschemas", "prioritylevelconfigurations"]
    verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: grant-flow-schema-permission
  labels:
    app: cert-manager-webhook-dnsimple
subjects:
  - kind: ServiceAccount
    name: webhook-dnsimple
    namespace: cert-manager
roleRef:
  kind: ClusterRole
  name: flow-schema-reader
  apiGroup: rbac.authorization.k8s.io
---
# apiserver gets the auth-delegator role to delegate auth decisions to the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: webhook-dnsimple:auth-delegator
  labels:
    app: cert-manager-webhook-dnsimple
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: webhook-dnsimple
    namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: webhook-dnsimple:domain-solver
  labels:
    app: cert-manager-webhook-dnsimple
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: webhook-dnsimple:domain-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
---
# Grant the webhook permission to read the api-token Secret in the specified namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: "cert-manager"
  name: webhook-dnsimple:access-secret
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: webhook-dnsimple:access-secret
  namespace: "cert-manager"
subjects:
  - kind: ServiceAccount
    name: webhook-dnsimple
    namespace: "cert-manager"
roleRef:
  kind: Role
  name: webhook-dnsimple:access-secret
  apiGroup: rbac.authorization.k8s.io