forked from hswaw/hscloud
Serge Bazanski
3dd3ff5dcd
Change-Id: I7a4cdadc9956141292302bc004d09d6e9e22855e Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1497 Reviewed-by: informatic <informatic@hackerspace.pl>
470 lines
18 KiB
Text
470 lines
18 KiB
Text
local kube = import "../../../kube/kube.libsonnet";
|
|
{
|
|
local top = self,
|
|
crs: {
|
|
cainjector: kube.ClusterRole("cert-manager-cainjector") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["events"],
|
|
verbs: ["get", "create", "update", "patch"],
|
|
},
|
|
{
|
|
apiGroups: ["admissionregistration.k8s.io"],
|
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
|
|
verbs: ["get", "list", "watch", "update"],
|
|
},
|
|
{
|
|
apiGroups: ["apiregistration.k8s.io"],
|
|
resources: ["apiservices"],
|
|
verbs: ["get", "list", "watch", "update"],
|
|
},
|
|
{
|
|
apiGroups: ["apiextensions.k8s.io"],
|
|
resources: ["customresourcedefinitions"],
|
|
verbs: ["get", "list", "watch", "update"],
|
|
},
|
|
{
|
|
apiGroups: ["auditregistration.k8s.io"],
|
|
resources: ["auditsinks"],
|
|
verbs: ["get", "list", "watch", "update"],
|
|
},
|
|
],
|
|
},
|
|
controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["issuers", "issuers/status"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["issuers"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["events"],
|
|
verbs: ["create", "patch"],
|
|
},
|
|
],
|
|
},
|
|
controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["clusterissuers", "clusterissuers/status"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["clusterissuers"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["events"],
|
|
verbs: ["create", "patch"],
|
|
},
|
|
],
|
|
},
|
|
controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates/finalizers", "certificaterequests/finalizers"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["orders"],
|
|
verbs: ["create", "delete", "get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch", "create", "update", "delete"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["events"],
|
|
verbs: ["create", "patch"],
|
|
},
|
|
],
|
|
},
|
|
controllerOrders: kube.ClusterRole("cert-manager-controller-orders") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["orders", "orders/status"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["orders", "challenges"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["clusterissuers", "issuers"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["challenges"],
|
|
verbs: ["create", "delete"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["orders/finalizers"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["events"],
|
|
verbs: ["create", "patch"],
|
|
},
|
|
],
|
|
},
|
|
controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["challenges", "challenges/status"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["challenges"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["issuers", "clusterissuers"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["events"],
|
|
verbs: ["create", "patch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["pods", "services"],
|
|
verbs: ["get", "list", "watch", "create", "delete"],
|
|
},
|
|
{
|
|
apiGroups: ["networking.k8s.io"],
|
|
resources: ["ingresses"],
|
|
verbs: ["get", "list", "watch", "create", "delete", "update"],
|
|
},
|
|
{
|
|
apiGroups: ["networking.x-k8s.io"],
|
|
resources: ["httproutes"],
|
|
verbs: ["get", "list", "watch", "create", "delete", "update"],
|
|
},
|
|
{
|
|
apiGroups: ["route.openshift.io"],
|
|
resources: ["routes/custom-host"],
|
|
verbs: ["create"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["challenges/finalizers"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
],
|
|
},
|
|
controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates", "certificaterequests"],
|
|
verbs: ["create", "update", "delete"],
|
|
},
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["networking.k8s.io"],
|
|
resources: ["ingresses"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["networking.k8s.io"],
|
|
resources: ["ingresses/finalizers"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["networking.x-k8s.io"],
|
|
resources: ["gateways", "httproutes"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["networking.x-k8s.io"],
|
|
resources: ["gateways/finalizers", "httproutes/finalizers"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["events"],
|
|
verbs: ["create", "patch"],
|
|
},
|
|
],
|
|
},
|
|
view: kube.ClusterRole("cert-manager-view") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates", "certificaterequests", "issuers"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["challenges", "orders"],
|
|
verbs: ["get", "list", "watch"],
|
|
},
|
|
],
|
|
},
|
|
edit: kube.ClusterRole("cert-manager-edit") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["certificates", "certificaterequests", "issuers"],
|
|
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
|
},
|
|
{
|
|
apiGroups: ["acme.cert-manager.io"],
|
|
resources: ["challenges", "orders"],
|
|
verbs: ["create", "delete", "deletecollection", "patch", "update"],
|
|
},
|
|
],
|
|
},
|
|
controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["cert-manager.io"],
|
|
resources: ["signers"],
|
|
verbs: ["approve"],
|
|
},
|
|
],
|
|
},
|
|
controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["certificates.k8s.io"],
|
|
resources: ["certificatesigningrequests"],
|
|
verbs: ["get", "list", "watch", "update"],
|
|
},
|
|
{
|
|
apiGroups: ["certificates.k8s.io"],
|
|
resources: ["certificatesigningrequests/status"],
|
|
verbs: ["update"],
|
|
},
|
|
{
|
|
apiGroups: ["certificates.k8s.io"],
|
|
resources: ["signers"],
|
|
verbs: ["sign"],
|
|
},
|
|
{
|
|
apiGroups: ["authorization.k8s.io"],
|
|
resources: ["subjectaccessreviews"],
|
|
verbs: ["create"],
|
|
},
|
|
],
|
|
},
|
|
webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") {
|
|
rules: [
|
|
{
|
|
apiGroups: ["authorization.k8s.io"],
|
|
resources: ["subjectaccessreviews"],
|
|
verbs: ["create"],
|
|
},
|
|
],
|
|
},
|
|
},
|
|
crbs: {
|
|
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
|
|
roleRef_: top.crs.cainjector,
|
|
subjects_: [top.sas.cainjector],
|
|
},
|
|
controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") {
|
|
roleRef_: top.crs.controllerIssuers,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") {
|
|
roleRef_: top.crs.controllerClusterissuers,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") {
|
|
roleRef_: top.crs.controllerCertificates,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") {
|
|
roleRef_: top.crs.controllerOrders,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") {
|
|
roleRef_: top.crs.controllerChallenges,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") {
|
|
roleRef_: top.crs.controllerIngressShim,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") {
|
|
roleRef_: top.crs.controllerApproveCertManagerIo,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") {
|
|
roleRef_: top.crs.controllerCertificatesigningrequests,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") {
|
|
roleRef_: top.crs.webhookSubjectaccessreviews,
|
|
subjects_: [top.sas.webhook],
|
|
},
|
|
},
|
|
roles: {
|
|
cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") {
|
|
metadata+: top.env.metadata {
|
|
namespace: "kube-system",
|
|
},
|
|
rules: [
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["configmaps"],
|
|
verbs: ["get", "update", "patch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["configmaps"],
|
|
verbs: ["create"],
|
|
},
|
|
{
|
|
apiGroups: ["coordination.k8s.io"],
|
|
resources: ["leases"],
|
|
verbs: ["get", "update", "patch"],
|
|
},
|
|
{
|
|
apiGroups: ["coordination.k8s.io"],
|
|
resources: ["leases"],
|
|
verbs: ["create"],
|
|
}
|
|
],
|
|
},
|
|
leaderelection: kube.Role("cert-manager:leaderelection") {
|
|
metadata+: top.env.metadata {
|
|
namespace: "kube-system",
|
|
},
|
|
rules: [
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["configmaps"],
|
|
verbs: ["get", "update", "patch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["configmaps"],
|
|
verbs: ["create"],
|
|
},
|
|
{
|
|
apiGroups: ["coordination.k8s.io"],
|
|
resources: ["leases"],
|
|
verbs: ["get", "update", "patch"],
|
|
},
|
|
{
|
|
apiGroups: ["coordination.k8s.io"],
|
|
resources: ["leases"],
|
|
verbs: ["create"],
|
|
},
|
|
],
|
|
},
|
|
webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") {
|
|
metadata+: top.env.metadata,
|
|
rules: [
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["get", "list", "watch", "update"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["secrets"],
|
|
verbs: ["create"],
|
|
},
|
|
],
|
|
},
|
|
},
|
|
rbs: {
|
|
cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") {
|
|
metadata+: {
|
|
namespace: "kube-system",
|
|
},
|
|
roleRef_: top.roles.cainjectorLeaderelection,
|
|
subjects_: [top.sas.cainjector],
|
|
},
|
|
leaderelection: kube.RoleBinding("cert-manager:leaderelection") {
|
|
metadata+: {
|
|
namespace: "kube-system",
|
|
},
|
|
roleRef_: top.roles.leaderelection,
|
|
subjects_: [top.sas.certManager],
|
|
},
|
|
webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") {
|
|
metadata+: {
|
|
namespace: top.env.metadata.namespace,
|
|
},
|
|
roleRef_: top.roles.webhookDynamicServing,
|
|
subjects_: [top.sas.webhook],
|
|
},
|
|
},
|
|
}
|