diff --git a/helm/designate-certmanager-webhook/templates/rbac.yaml b/helm/designate-certmanager-webhook/templates/rbac.yaml index 12999d98..caf7a58c 100644 --- a/helm/designate-certmanager-webhook/templates/rbac.yaml +++ b/helm/designate-certmanager-webhook/templates/rbac.yaml @@ -98,3 +98,43 @@ subjects: kind: ServiceAccount name: {{ include "designate-certmanager-webhook.fullname" . }} namespace: {{ .Release.Namespace }} +--- +# Allow using API Priority and Fairness feature +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "designate-certmanager-webhook.fullname" . }}:flowcontrol-solver + labels: + app: {{ include "designate-certmanager-webhook.name" . }} + chart: {{ include "designate-certmanager-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - 'flowschemas' + - 'prioritylevelconfigurations' + verbs: + - 'get' + - 'watch' + - 'list' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "designate-certmanager-webhook.fullname" . }}:flowcontrol-solver + labels: + app: {{ include "designate-certmanager-webhook.name" . }} + chart: {{ include "designate-certmanager-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "designate-certmanager-webhook.fullname" . }}:flowcontrol-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "designate-certmanager-webhook.fullname" . }} + namespace: {{ .Release.Namespace }}