Fixed some more rbac issues, v2022.03.15

2022-03-15 01:39:12 +09:00
parent c2272e3816
commit 4fe54aabf0
5 changed files with 140 additions and 50 deletions
--- a/deploy/freedns-webhook/templates/rbac.yaml
+++ b/deploy/freedns-webhook/templates/rbac.yaml
@@ -8,6 +8,45 @@ metadata:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "freedns-webhook.fullname" . }}:secret-read
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "freedns-webhook.name" . }}
+    chart: {{ include "freedns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - 'secrets'
+    verbs:
+      - 'get'
+---
+# Grant the webhook permission to read the secret
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "freedns-webhook.fullname" . }}:secret-read
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "freedns-webhook.name" . }}
+    chart: {{ include "freedns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "freedns-webhook.fullname" . }}:secret-read
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "freedns-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
 # Grant the webhook permission to read the ConfigMap containing the Kubernetes
 # apiserver's requestheader-ca-certificate.
 # This ConfigMap is automatically created by the Kubernetes apiserver.
--- a/deploy/freedns-webhook/values.yaml
+++ b/deploy/freedns-webhook/values.yaml
@@ -14,7 +14,7 @@ certManager:

 image:
  repository: penguinade/cert-manager-webhook-freedns
-  tag: latest
+  tag: 2022.03.15
  pullPolicy: IfNotPresent

 nameOverride: ""