mirror of
https://github.com/cert-manager/webhook-example.git
synced 2025-08-22 20:22:51 +02:00
e488b5fc16
The flowcontrol-solver ClusterRole and ClusterRoleBinding had an extra level of indentation for labels which resulted in invalid YAML after templating. This patch removes the extra indentation so Helm install works again.
140 lines
4 KiB
YAML
140 lines
4 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
---
|
|
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
|
# apiserver's requestheader-ca-certificate.
|
|
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}:webhook-authentication-reader
|
|
namespace: kube-system
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
# apiserver gets the auth-delegator role to delegate auth decisions to
|
|
# the core apiserver
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}:auth-delegator
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
# Grant cert-manager permission to validate using our apiserver
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}:domain-solver
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- {{ .Values.groupName }}
|
|
resources:
|
|
- '*'
|
|
verbs:
|
|
- 'create'
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}:domain-solver
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "gcore-webhook.fullname" . }}:domain-solver
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: {{ .Values.certManager.serviceAccountName }}
|
|
namespace: {{ .Values.certManager.namespace }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- 'secrets'
|
|
verbs:
|
|
- 'get'
|
|
---
|
|
# Grant cert-manager-webhook-gandi permission to read the flow control mechanism (APF)
|
|
# API Priority and Fairness is enabled by default in Kubernetes 1.20
|
|
# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}:flowcontrol-solver
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- "flowcontrol.apiserver.k8s.io"
|
|
resources:
|
|
- "prioritylevelconfigurations"
|
|
- "flowschemas"
|
|
verbs:
|
|
- "list"
|
|
- "watch"
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "gcore-webhook.fullname" . }}:flowcontrol-solver
|
|
labels:
|
|
{{ include "gcore-webhook.labels" . | indent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "gcore-webhook.fullname" . }}:flowcontrol-solver
|
|
subjects:
|
|
- apiGroup: ""
|
|
kind: ServiceAccount
|
|
name: {{ include "gcore-webhook.fullname" . }}
|
|
namespace: {{ .Release.Namespace }}
|