diff --git a/README.md b/README.md index 8b7ea843e..5cb5a8345 100644 --- a/README.md +++ b/README.md @@ -49,9 +49,11 @@ To deploy the latest version of cert-manager using Helm, run: $ helm install --name cert-manager --namespace kube-system contrib/charts/cert-manager ``` -**NOTE** +#### Deploy RBAC roles -* There are currently no official RBAC roles defined for cert-manager (see [#34](https://github.com/jetstack-experimental/cert-manager/issues/34)) +``` +$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/rbac.yaml +``` ### 2. Set up letsencrypt staging issuer diff --git a/contrib/charts/cert-manager/templates/deployment.yaml b/contrib/charts/cert-manager/templates/deployment.yaml index 80a7585f0..09cb95979 100644 --- a/contrib/charts/cert-manager/templates/deployment.yaml +++ b/contrib/charts/cert-manager/templates/deployment.yaml @@ -15,6 +15,8 @@ spec: app: {{ template "name" . }} release: {{ .Release.Name }} spec: + serviceAccount: {{ template "fullname" . }} + serviceAccountName: {{ template "fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/contrib/charts/cert-manager/templates/rbac.yaml b/contrib/charts/cert-manager/templates/rbac.yaml new file mode 100644 index 000000000..702d4caf0 --- /dev/null +++ b/contrib/charts/cert-manager/templates/rbac.yaml @@ -0,0 +1,42 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "issuers"] + verbs: ["*"] +- apiGroups: [""] + resources: ["secrets", "events", "endpoints", "services"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["*"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "watch", "create", "delete", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "fullname" . }} +subjects: +- name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount +{{- end -}} \ No newline at end of file diff --git a/contrib/charts/cert-manager/templates/serviceaccount.yaml b/contrib/charts/cert-manager/templates/serviceaccount.yaml new file mode 100644 index 000000000..b65d4c92a --- /dev/null +++ b/contrib/charts/cert-manager/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} diff --git a/contrib/charts/cert-manager/values.yaml b/contrib/charts/cert-manager/values.yaml index c6c3e3e79..22487e13f 100644 --- a/contrib/charts/cert-manager/values.yaml +++ b/contrib/charts/cert-manager/values.yaml @@ -10,4 +10,7 @@ image: createCustomResource: true +rbac: + enabled: true + resources: {} diff --git a/docs/rbac.yaml b/docs/rbac.yaml new file mode 100644 index 000000000..7187e0f68 --- /dev/null +++ b/docs/rbac.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager +rules: +- apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "issuers"] + verbs: ["*"] +- apiGroups: [""] + resources: ["secrets", "events", "endpoints", "services"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["*"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "watch", "create", "delete", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager +subjects: +- namespace: default + kind: ServiceAccount + name: default