| local kube = import "../../../kube/kube.libsonnet"; |
| { |
| local top = self, |
| crs: { |
| cainjector: kube.ClusterRole("cert-manager-cainjector") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["get", "create", "update", "patch"], |
| }, |
| { |
| apiGroups: ["admissionregistration.k8s.io"], |
| resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"], |
| verbs: ["get", "list", "watch", "update"], |
| }, |
| { |
| apiGroups: ["apiregistration.k8s.io"], |
| resources: ["apiservices"], |
| verbs: ["get", "list", "watch", "update"], |
| }, |
| { |
| apiGroups: ["apiextensions.k8s.io"], |
| resources: ["customresourcedefinitions"], |
| verbs: ["get", "list", "watch", "update"], |
| }, |
| { |
| apiGroups: ["auditregistration.k8s.io"], |
| resources: ["auditsinks"], |
| verbs: ["get", "list", "watch", "update"], |
| }, |
| ], |
| }, |
| controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["issuers", "issuers/status"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["issuers"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch", "create", "update", "delete"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create", "patch"], |
| }, |
| ], |
| }, |
| controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["clusterissuers", "clusterissuers/status"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["clusterissuers"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch", "create", "update", "delete"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create", "patch"], |
| }, |
| ], |
| }, |
| controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates/finalizers", "certificaterequests/finalizers"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["orders"], |
| verbs: ["create", "delete", "get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch", "create", "update", "delete"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create", "patch"], |
| }, |
| ], |
| }, |
| controllerOrders: kube.ClusterRole("cert-manager-controller-orders") { |
| rules: [ |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["orders", "orders/status"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["orders", "challenges"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["clusterissuers", "issuers"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["challenges"], |
| verbs: ["create", "delete"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["orders/finalizers"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create", "patch"], |
| }, |
| ], |
| }, |
| controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") { |
| rules: [ |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["challenges", "challenges/status"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["challenges"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["issuers", "clusterissuers"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create", "patch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["pods", "services"], |
| verbs: ["get", "list", "watch", "create", "delete"], |
| }, |
| { |
| apiGroups: ["networking.k8s.io"], |
| resources: ["ingresses"], |
| verbs: ["get", "list", "watch", "create", "delete", "update"], |
| }, |
| { |
| apiGroups: ["networking.x-k8s.io"], |
| resources: ["httproutes"], |
| verbs: ["get", "list", "watch", "create", "delete", "update"], |
| }, |
| { |
| apiGroups: ["route.openshift.io"], |
| resources: ["routes/custom-host"], |
| verbs: ["create"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["challenges/finalizers"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch"], |
| }, |
| ], |
| }, |
| controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates", "certificaterequests"], |
| verbs: ["create", "update", "delete"], |
| }, |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["networking.k8s.io"], |
| resources: ["ingresses"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["networking.k8s.io"], |
| resources: ["ingresses/finalizers"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["networking.x-k8s.io"], |
| resources: ["gateways", "httproutes"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["networking.x-k8s.io"], |
| resources: ["gateways/finalizers", "httproutes/finalizers"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create", "patch"], |
| }, |
| ], |
| }, |
| view: kube.ClusterRole("cert-manager-view") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates", "certificaterequests", "issuers"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["challenges", "orders"], |
| verbs: ["get", "list", "watch"], |
| }, |
| ], |
| }, |
| edit: kube.ClusterRole("cert-manager-edit") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["certificates", "certificaterequests", "issuers"], |
| verbs: ["create", "delete", "deletecollection", "patch", "update"], |
| }, |
| { |
| apiGroups: ["acme.cert-manager.io"], |
| resources: ["challenges", "orders"], |
| verbs: ["create", "delete", "deletecollection", "patch", "update"], |
| }, |
| ], |
| }, |
| controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") { |
| rules: [ |
| { |
| apiGroups: ["cert-manager.io"], |
| resources: ["signers"], |
| verbs: ["approve"], |
| }, |
| ], |
| }, |
| controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") { |
| rules: [ |
| { |
| apiGroups: ["certificates.k8s.io"], |
| resources: ["certificatesigningrequests"], |
| verbs: ["get", "list", "watch", "update"], |
| }, |
| { |
| apiGroups: ["certificates.k8s.io"], |
| resources: ["certificatesigningrequests/status"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: ["certificates.k8s.io"], |
| resources: ["signers"], |
| verbs: ["sign"], |
| }, |
| { |
| apiGroups: ["authorization.k8s.io"], |
| resources: ["subjectaccessreviews"], |
| verbs: ["create"], |
| }, |
| ], |
| }, |
| webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") { |
| rules: [ |
| { |
| apiGroups: ["authorization.k8s.io"], |
| resources: ["subjectaccessreviews"], |
| verbs: ["create"], |
| }, |
| ], |
| }, |
| }, |
| crbs: { |
| cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") { |
| roleRef_: top.crs.cainjector, |
| subjects_: [top.sas.cainjector], |
| }, |
| controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") { |
| roleRef_: top.crs.controllerIssuers, |
| subjects_: [top.sas.certManager], |
| }, |
| controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") { |
| roleRef_: top.crs.controllerClusterissuers, |
| subjects_: [top.sas.certManager], |
| }, |
| controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") { |
| roleRef_: top.crs.controllerCertificates, |
| subjects_: [top.sas.certManager], |
| }, |
| controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") { |
| roleRef_: top.crs.controllerOrders, |
| subjects_: [top.sas.certManager], |
| }, |
| controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") { |
| roleRef_: top.crs.controllerChallenges, |
| subjects_: [top.sas.certManager], |
| }, |
| controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") { |
| roleRef_: top.crs.controllerIngressShim, |
| subjects_: [top.sas.certManager], |
| }, |
| controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") { |
| roleRef_: top.crs.controllerApproveCertManagerIo, |
| subjects_: [top.sas.certManager], |
| }, |
| controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") { |
| roleRef_: top.crs.controllerCertificatesigningrequests, |
| subjects_: [top.sas.certManager], |
| }, |
| webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") { |
| roleRef_: top.crs.webhookSubjectaccessreviews, |
| subjects_: [top.sas.webhook], |
| }, |
| }, |
| roles: { |
| cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") { |
| metadata+: top.env.metadata { |
| namespace: "kube-system", |
| }, |
| rules: [ |
| { |
| apiGroups: [""], |
| resources: ["configmaps"], |
| verbs: ["get", "update", "patch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["configmaps"], |
| verbs: ["create"], |
| }, |
| { |
| apiGroups: ["coordination.k8s.io"], |
| resources: ["leases"], |
| verbs: ["get", "update", "patch"], |
| }, |
| { |
| apiGroups: ["coordination.k8s.io"], |
| resources: ["leases"], |
| verbs: ["create"], |
| } |
| ], |
| }, |
| leaderelection: kube.Role("cert-manager:leaderelection") { |
| metadata+: top.env.metadata { |
| namespace: "kube-system", |
| }, |
| rules: [ |
| { |
| apiGroups: [""], |
| resources: ["configmaps"], |
| verbs: ["get", "update", "patch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["configmaps"], |
| verbs: ["create"], |
| }, |
| { |
| apiGroups: ["coordination.k8s.io"], |
| resources: ["leases"], |
| verbs: ["get", "update", "patch"], |
| }, |
| { |
| apiGroups: ["coordination.k8s.io"], |
| resources: ["leases"], |
| verbs: ["create"], |
| }, |
| ], |
| }, |
| webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") { |
| metadata+: top.env.metadata, |
| rules: [ |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["get", "list", "watch", "update"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["secrets"], |
| verbs: ["create"], |
| }, |
| ], |
| }, |
| }, |
| rbs: { |
| cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") { |
| metadata+: { |
| namespace: "kube-system", |
| }, |
| roleRef_: top.roles.cainjectorLeaderelection, |
| subjects_: [top.sas.cainjector], |
| }, |
| leaderelection: kube.RoleBinding("cert-manager:leaderelection") { |
| metadata+: { |
| namespace: "kube-system", |
| }, |
| roleRef_: top.roles.leaderelection, |
| subjects_: [top.sas.certManager], |
| }, |
| webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") { |
| metadata+: { |
| namespace: top.env.metadata.namespace, |
| }, |
| roleRef_: top.roles.webhookDynamicServing, |
| subjects_: [top.sas.webhook], |
| }, |
| }, |
| } |