adrien/ansible-role-k8s-cert-manager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

First commit

Browse source
This commit is contained in:
Adrien Reslinger 2019-08-02 23:12:00 +02:00
parent 33faa0bbd0
commit 29a85200b6
45 changed files with 2381 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

45
templates/cert-manager-cr-certmanager-challenges-0.9.0.yaml Normal file
View file

@ -0,0 +1,45 @@
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Tiller
helm.sh/chart: cert-manager-v0.9.0
rules:
# Use to update challenge resource status
- apiGroups: ["certmanager.k8s.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["certmanager.k8s.io"]
resources: ["challenges", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["certmanager.k8s.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]