From 623867a559836f8ef1fe195a6f2e6b8afe2704ae Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 15 Aug 2023 13:26:27 +0000 Subject: [PATCH] Fix rbac issues with dnsimple cert issuer. --- .../issuers/dnsimple-issuer-rbac.yaml | 22 +++++++++++++++++++ .../cert-manager/issuers/kustomization.yaml | 1 + .../apps/security/external-secrets/ks.yaml | 4 ---- 3 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple-issuer-rbac.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple-issuer-rbac.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple-issuer-rbac.yaml new file mode 100644 index 0000000..241ba25 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple-issuer-rbac.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flow-schema-reader +rules: + - apiGroups: ["flowcontrol.apiserver.k8s.io"] + resources: ["flowschemas", "prioritylevelconfigurations"] + verbs: ["list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: grant-flow-schema-permission +subjects: + - kind: ServiceAccount + name: dnsimple-issuer-cert-manager-webhook-dnsimple + namespace: cert-manager +roleRef: + kind: ClusterRole + name: flow-schema-reader + apiGroup: rbac.authorization.k8s.io diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml index b240e59..d7b489d 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml @@ -6,4 +6,5 @@ resources: - ./externalsecret.yaml - ./issuer-letsencrypt-prod.yaml - ./issuer-letsencrypt-staging.yaml + - ./dnsimple-issuer-rbac.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/security/external-secrets/ks.yaml b/kubernetes/apps/security/external-secrets/ks.yaml index 6f13ba0..f36d2e8 100644 --- a/kubernetes/apps/security/external-secrets/ks.yaml +++ b/kubernetes/apps/security/external-secrets/ks.yaml @@ -25,10 +25,6 @@ spec: sourceRef: kind: GitRepository name: valinor - decryption: - provider: sops - secretRef: - name: sops-age wait: true dependsOn: - name: cluster-apps-external-secrets