From 9b8c1e70b62e07d1a84fc14f97e5630513ebde5d Mon Sep 17 00:00:00 2001
From: Joe Hanson <joe@josephhanson.dev>
Date: Fri, 2 Jun 2023 11:11:31 -0400
Subject: [PATCH] Grant the webhook permission to read the api-token Secret in
 the specified namespace.

---
 charts/dnsimple/templates/rbac.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/charts/dnsimple/templates/rbac.yaml b/charts/dnsimple/templates/rbac.yaml
index 2d09456..cbde256 100644
--- a/charts/dnsimple/templates/rbac.yaml
+++ b/charts/dnsimple/templates/rbac.yaml
@@ -9,6 +9,31 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 ---
+# Grant the webhook permission to read the api-token Secret in the specified namespace.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ namespace: {{ .Release.Namespace | quote }}
+ name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
+ namespace: {{ .Release.Namespace | quote }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "dnsimple-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+ kind: Role
+ name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
+ apiGroup: rbac.authorization.k8s.io
+---
 # Grant the webhook permission to read the ConfigMap containing the Kubernetes
 # apiserver's requestheader-ca-certificate.
 # This ConfigMap is automatically created by the Kubernetes apiserver.