Merge pull request #398 from SgtCoDFish/leasens

Tweak roles to fix permission errors

Author: cert-manager-prow[bot]

deploy/charts/istio-csr/templates/role.yaml

@@ -26,16 +26,3 @@ rules:
   verbs: ["get", "list", "watch"]
   resourceNames: [{{ . | quote }}]
 {{- end }}
-{{- if eq (toString .Values.app.tls.istiodCertificateEnable) "dynamic" }}
-- apiGroups:
-  - "cert-manager.io"
-  resources:
-  - "certificates"
-  verbs:
-  - "get"
-  - "create"
-  - "update"
-  - "delete"
-  - "watch"
-  - "list"
-{{- end }}

deploy/charts/istio-csr/templates/role_dynamic_istiod.yaml

@@ -0,0 +1,22 @@
+{{- if eq (toString .Values.app.tls.istiodCertificateEnable) "dynamic" }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    {{- include "cert-manager-istio-csr.labels" . | nindent 4 }}
+  name: {{ include "cert-manager-istio-csr.name" . }}-dynamic-istiod
+  namespace: {{ .Values.app.istio.namespace }}
+rules:
+- apiGroups:
+  - "cert-manager.io"
+  resources:
+  - "certificates"
+  verbs:
+  - "get"
+  - "create"
+  - "update"
+  - "delete"
+  - "watch"
+  - "list"
+{{- end }}
+

deploy/charts/istio-csr/templates/role_leases.yaml

@@ -16,4 +16,6 @@ rules:
   - "update"
   - "watch"
   - "list"
-
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create"]

deploy/charts/istio-csr/templates/rolebinding_dynamic_istiod.yaml

@@ -0,0 +1,16 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "cert-manager-istio-csr.name" . }}-dynamic-istiod
+  namespace: {{ .Values.app.istio.namespace }}
+  labels:
+    {{- include "cert-manager-istio-csr.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "cert-manager-istio-csr.name" . }}-dynamic-istiod
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cert-manager-istio-csr.name" . }}
+  namespace: {{ .Release.Namespace }}
+