---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: webhook-dnsimple
  namespace: "cert-manager"
  labels:
    app: cert-manager-webhook-dnsimple
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: webhook-dnsimple:domain-solver
  labels:
    app: cert-manager-webhook-dnsimple
rules:
  - apiGroups:
      - acme.hsn.dev
    resources:
      - '*'
    verbs:
      - 'create'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flow-schema-reader
  labels:
    app: cert-manager-webhook-dnsimple
rules:
  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
    resources: ["flowschemas", "prioritylevelconfigurations"]
    verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: grant-flow-schema-permission
  labels:
    app: cert-manager-webhook-dnsimple
subjects:
  - kind: ServiceAccount
    name: webhook-dnsimple
    namespace: cert-manager
roleRef:
  kind: ClusterRole
  name: flow-schema-reader
  apiGroup: rbac.authorization.k8s.io
---
# apiserver gets the auth-delegator role to delegate auth decisions to the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: webhook-dnsimple:auth-delegator
  labels:
    app: cert-manager-webhook-dnsimple
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: webhook-dnsimple
    namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: webhook-dnsimple:domain-solver
  labels:
    app: cert-manager-webhook-dnsimple
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: webhook-dnsimple:domain-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
---
# Grant the webhook permission to read the api-token Secret in the specified namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 namespace: "cert-manager"
 name: webhook-dnsimple:access-secret
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: webhook-dnsimple:access-secret
 namespace: "cert-manager"
subjects:
- kind: ServiceAccount
  name: webhook-dnsimple
  namespace: "cert-manager"
roleRef:
 kind: Role
 name: webhook-dnsimple:access-secret
 apiGroup: rbac.authorization.k8s.io
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: webhook-dnsimple:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: cert-manager-webhook-dnsimple
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: webhook-dnsimple
    namespace: cert-manager