Fix rbac issues with dnsimple cert issuer.

2023-08-15 13:26:27 +00:00 · 2023-08-15 13:26:27 +00:00 · 623867a559
commit 623867a559
parent 385fa5377c
3 changed files with 23 additions and 4 deletions
--- a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple-issuer-rbac.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple-issuer-rbac.yaml
@ -0,0 +1,22 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flow-schema-reader
+rules:
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["flowschemas", "prioritylevelconfigurations"]
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grant-flow-schema-permission
+subjects:
+  - kind: ServiceAccount
+    name: dnsimple-issuer-cert-manager-webhook-dnsimple
+    namespace: cert-manager
+roleRef:
+  kind: ClusterRole
+  name: flow-schema-reader
+  apiGroup: rbac.authorization.k8s.io
--- a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml
@ -6,4 +6,5 @@ resources:
  - ./externalsecret.yaml
  - ./issuer-letsencrypt-prod.yaml
  - ./issuer-letsencrypt-staging.yaml
+  - ./dnsimple-issuer-rbac.yaml
  - ./helmrelease.yaml
--- a/kubernetes/apps/security/external-secrets/ks.yaml
+++ b/kubernetes/apps/security/external-secrets/ks.yaml
@ -25,10 +25,6 @@ spec:
  sourceRef:
    kind: GitRepository
    name: valinor
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
  wait: true
  dependsOn:
    - name: cluster-apps-external-secrets