rbac.yaml 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490
  1. {{- if .Values.rbac.create -}}
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  4. kind: Role
  5. {{- else }}
  6. kind: ClusterRole
  7. {{- end }}
  8. metadata:
  9. name: {{ include "external-secrets.fullname" . }}-controller
  10. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  11. namespace: {{ .Values.scopedNamespace | quote }}
  12. {{- end }}
  13. labels:
  14. {{- include "external-secrets.labels" . | nindent 4 }}
  15. rules:
  16. {{- if .Values.v2.enabled }}
  17. - apiGroups:
  18. - "provider.external-secrets.io"
  19. resources:
  20. - "kubernetes"
  21. - "awssecretsmanagers"
  22. - "fakes"
  23. verbs:
  24. - "get"
  25. - "list"
  26. - "watch"
  27. {{- end }}
  28. - apiGroups:
  29. - "external-secrets.io"
  30. resources:
  31. - "secretstores"
  32. {{- if .Values.v2.enabled }}
  33. - "providers"
  34. - "clusterproviders"
  35. {{- end }}
  36. {{- if .Values.processClusterStore }}
  37. - "clustersecretstores"
  38. {{- end }}
  39. - "externalsecrets"
  40. {{- if .Values.processClusterExternalSecret }}
  41. - "clusterexternalsecrets"
  42. {{- end }}
  43. {{- if .Values.processPushSecret }}
  44. - "pushsecrets"
  45. {{- end }}
  46. {{- if .Values.processClusterPushSecret }}
  47. - "clusterpushsecrets"
  48. {{- end }}
  49. verbs:
  50. - "get"
  51. - "list"
  52. - "watch"
  53. - apiGroups:
  54. - "external-secrets.io"
  55. resources:
  56. {{- if .Values.v2.enabled }}
  57. - "providers"
  58. - "providers/status"
  59. - "clusterproviders"
  60. - "clusterproviders/status"
  61. {{- end }}
  62. - "externalsecrets"
  63. - "externalsecrets/status"
  64. {{- if .Values.openshiftFinalizers }}
  65. - "externalsecrets/finalizers"
  66. {{- end }}
  67. - "secretstores"
  68. - "secretstores/status"
  69. {{- if .Values.openshiftFinalizers }}
  70. - "secretstores/finalizers"
  71. {{- end }}
  72. {{- if .Values.processClusterStore }}
  73. - "clustersecretstores"
  74. - "clustersecretstores/status"
  75. {{- if .Values.openshiftFinalizers }}
  76. - "clustersecretstores/finalizers"
  77. {{- end }}
  78. {{- end }}
  79. {{- if .Values.processClusterExternalSecret }}
  80. - "clusterexternalsecrets"
  81. - "clusterexternalsecrets/status"
  82. {{- if .Values.openshiftFinalizers }}
  83. - "clusterexternalsecrets/finalizers"
  84. {{- end }}
  85. {{- end }}
  86. {{- if .Values.processPushSecret }}
  87. - "pushsecrets"
  88. - "pushsecrets/status"
  89. {{- if .Values.openshiftFinalizers }}
  90. - "pushsecrets/finalizers"
  91. {{- end }}
  92. {{- end }}
  93. {{- if .Values.processClusterPushSecret }}
  94. - "clusterpushsecrets"
  95. - "clusterpushsecrets/status"
  96. {{- if .Values.openshiftFinalizers }}
  97. - "clusterpushsecrets/finalizers"
  98. {{- end }}
  99. {{- end }}
  100. verbs:
  101. - "get"
  102. - "update"
  103. - "patch"
  104. - apiGroups:
  105. - "generators.external-secrets.io"
  106. resources:
  107. - "generatorstates"
  108. verbs:
  109. - "get"
  110. - "list"
  111. - "watch"
  112. - "create"
  113. - "update"
  114. - "patch"
  115. - "delete"
  116. - "deletecollection"
  117. - apiGroups:
  118. - "generators.external-secrets.io"
  119. resources:
  120. - "acraccesstokens"
  121. - "cloudsmithaccesstokens"
  122. {{- if .Values.processClusterGenerator }}
  123. - "clustergenerators"
  124. {{- end }}
  125. - "ecrauthorizationtokens"
  126. - "fakes"
  127. - "gcraccesstokens"
  128. - "githubaccesstokens"
  129. - "quayaccesstokens"
  130. - "passwords"
  131. - "sshkeys"
  132. - "stssessiontokens"
  133. - "uuids"
  134. - "vaultdynamicsecrets"
  135. - "webhooks"
  136. - "grafanas"
  137. - "mfas"
  138. verbs:
  139. - "get"
  140. - "list"
  141. - "watch"
  142. - apiGroups:
  143. - ""
  144. resources:
  145. - "serviceaccounts"
  146. - "namespaces"
  147. verbs:
  148. - "get"
  149. - "list"
  150. - "watch"
  151. {{- if .Values.processClusterExternalSecret }}
  152. - apiGroups:
  153. - ""
  154. resources:
  155. - "namespaces"
  156. verbs:
  157. - "update"
  158. - "patch"
  159. {{- end }}
  160. - apiGroups:
  161. - ""
  162. resources:
  163. - "configmaps"
  164. verbs:
  165. - "get"
  166. - "list"
  167. - "watch"
  168. - apiGroups:
  169. - ""
  170. resources:
  171. - "secrets"
  172. verbs:
  173. - "get"
  174. - "list"
  175. - "watch"
  176. - "create"
  177. - "update"
  178. - "delete"
  179. - "patch"
  180. {{- if .Values.genericTargets.enabled }}
  181. # Generic target permissions (ConfigMaps)
  182. - apiGroups:
  183. - ""
  184. resources:
  185. - "configmaps"
  186. verbs:
  187. - "create"
  188. - "update"
  189. - "delete"
  190. - "patch"
  191. {{- range .Values.genericTargets.resources }}
  192. # Custom resource permissions for non-Secret targets
  193. - apiGroups:
  194. - {{ .apiGroup | quote }}
  195. resources:
  196. {{- range .resources }}
  197. - {{ . | quote }}
  198. {{- end }}
  199. verbs:
  200. {{- range .verbs }}
  201. - {{ . | quote }}
  202. {{- end }}
  203. {{- end }}
  204. {{- end }}
  205. - apiGroups:
  206. - ""
  207. resources:
  208. - "serviceaccounts/token"
  209. verbs:
  210. - "create"
  211. - apiGroups:
  212. - ""
  213. resources:
  214. - "events"
  215. verbs:
  216. - "create"
  217. - "patch"
  218. - apiGroups:
  219. - "external-secrets.io"
  220. resources:
  221. - "externalsecrets"
  222. verbs:
  223. - "create"
  224. - "update"
  225. - "delete"
  226. {{- if .Values.processPushSecret }}
  227. - apiGroups:
  228. - "external-secrets.io"
  229. resources:
  230. - "pushsecrets"
  231. verbs:
  232. - "create"
  233. - "update"
  234. - "delete"
  235. {{- end }}
  236. ---
  237. apiVersion: rbac.authorization.k8s.io/v1
  238. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  239. kind: Role
  240. {{- else }}
  241. kind: ClusterRole
  242. {{- end }}
  243. metadata:
  244. name: {{ include "external-secrets.fullname" . }}-view
  245. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  246. namespace: {{ .Values.scopedNamespace | quote }}
  247. {{- end }}
  248. labels:
  249. {{- include "external-secrets.labels" . | nindent 4 }}
  250. {{- if .Values.rbac.aggregateToView }}
  251. rbac.authorization.k8s.io/aggregate-to-view: "true"
  252. {{- end }}
  253. {{- if .Values.rbac.aggregateToEdit }}
  254. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  255. {{- end }}
  256. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  257. rules:
  258. - apiGroups:
  259. - "external-secrets.io"
  260. resources:
  261. - "externalsecrets"
  262. - "secretstores"
  263. {{- if .Values.v2.enabled }}
  264. - "providers"
  265. - "clusterproviders"
  266. {{- end }}
  267. {{- if .Values.processClusterStore }}
  268. - "clustersecretstores"
  269. {{- end }}
  270. {{- if .Values.processPushSecret }}
  271. - "pushsecrets"
  272. {{- end }}
  273. {{- if .Values.processClusterPushSecret }}
  274. - "clusterpushsecrets"
  275. {{- end }}
  276. verbs:
  277. - "get"
  278. - "watch"
  279. - "list"
  280. - apiGroups:
  281. - "generators.external-secrets.io"
  282. resources:
  283. - "acraccesstokens"
  284. - "cloudsmithaccesstokens"
  285. {{- if .Values.processClusterGenerator }}
  286. - "clustergenerators"
  287. {{- end }}
  288. - "ecrauthorizationtokens"
  289. - "fakes"
  290. - "gcraccesstokens"
  291. - "githubaccesstokens"
  292. - "quayaccesstokens"
  293. - "passwords"
  294. - "sshkeys"
  295. - "vaultdynamicsecrets"
  296. - "webhooks"
  297. - "grafanas"
  298. - "generatorstates"
  299. - "mfas"
  300. - "uuids"
  301. verbs:
  302. - "get"
  303. - "watch"
  304. - "list"
  305. ---
  306. apiVersion: rbac.authorization.k8s.io/v1
  307. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  308. kind: Role
  309. {{- else }}
  310. kind: ClusterRole
  311. {{- end }}
  312. metadata:
  313. name: {{ include "external-secrets.fullname" . }}-edit
  314. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  315. namespace: {{ .Values.scopedNamespace | quote }}
  316. {{- end }}
  317. labels:
  318. {{- include "external-secrets.labels" . | nindent 4 }}
  319. {{- if .Values.rbac.aggregateToEdit }}
  320. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  321. {{- end }}
  322. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  323. rules:
  324. - apiGroups:
  325. - "external-secrets.io"
  326. resources:
  327. - "externalsecrets"
  328. - "secretstores"
  329. {{- if .Values.v2.enabled }}
  330. - "providers"
  331. - "clusterproviders"
  332. {{- end }}
  333. {{- if .Values.processClusterStore }}
  334. - "clustersecretstores"
  335. {{- end }}
  336. {{- if .Values.processPushSecret }}
  337. - "pushsecrets"
  338. {{- end }}
  339. {{- if .Values.processClusterPushSecret }}
  340. - "clusterpushsecrets"
  341. {{- end }}
  342. verbs:
  343. - "create"
  344. - "delete"
  345. - "deletecollection"
  346. - "patch"
  347. - "update"
  348. - apiGroups:
  349. - "generators.external-secrets.io"
  350. resources:
  351. - "acraccesstokens"
  352. - "cloudsmithaccesstokens"
  353. {{- if .Values.processClusterGenerator }}
  354. - "clustergenerators"
  355. {{- end }}
  356. - "ecrauthorizationtokens"
  357. - "fakes"
  358. - "gcraccesstokens"
  359. - "githubaccesstokens"
  360. - "quayaccesstokens"
  361. - "passwords"
  362. - "sshkeys"
  363. - "vaultdynamicsecrets"
  364. - "webhooks"
  365. - "grafanas"
  366. - "generatorstates"
  367. - "mfas"
  368. - "uuids"
  369. verbs:
  370. - "create"
  371. - "delete"
  372. - "deletecollection"
  373. - "patch"
  374. - "update"
  375. ---
  376. apiVersion: rbac.authorization.k8s.io/v1
  377. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  378. kind: RoleBinding
  379. {{- else }}
  380. kind: ClusterRoleBinding
  381. {{- end }}
  382. metadata:
  383. name: {{ include "external-secrets.fullname" . }}-controller
  384. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  385. namespace: {{ .Values.scopedNamespace | quote }}
  386. {{- end }}
  387. labels:
  388. {{- include "external-secrets.labels" . | nindent 4 }}
  389. roleRef:
  390. apiGroup: rbac.authorization.k8s.io
  391. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  392. kind: Role
  393. {{- else }}
  394. kind: ClusterRole
  395. {{- end }}
  396. name: {{ include "external-secrets.fullname" . }}-controller
  397. subjects:
  398. - name: {{ include "external-secrets.serviceAccountName" . }}
  399. namespace: {{ template "external-secrets.namespace" . }}
  400. kind: ServiceAccount
  401. ---
  402. apiVersion: rbac.authorization.k8s.io/v1
  403. kind: Role
  404. metadata:
  405. name: {{ include "external-secrets.fullname" . }}-leaderelection
  406. namespace: {{ template "external-secrets.namespace" . }}
  407. labels:
  408. {{- include "external-secrets.labels" . | nindent 4 }}
  409. rules:
  410. - apiGroups:
  411. - ""
  412. resources:
  413. - "configmaps"
  414. resourceNames:
  415. - "external-secrets-controller"
  416. verbs:
  417. - "get"
  418. - "update"
  419. - "patch"
  420. - apiGroups:
  421. - ""
  422. resources:
  423. - "configmaps"
  424. verbs:
  425. - "create"
  426. - apiGroups:
  427. - "coordination.k8s.io"
  428. resources:
  429. - "leases"
  430. verbs:
  431. - "get"
  432. - "create"
  433. - "update"
  434. - "patch"
  435. ---
  436. apiVersion: rbac.authorization.k8s.io/v1
  437. kind: RoleBinding
  438. metadata:
  439. name: {{ include "external-secrets.fullname" . }}-leaderelection
  440. namespace: {{ template "external-secrets.namespace" . }}
  441. labels:
  442. {{- include "external-secrets.labels" . | nindent 4 }}
  443. roleRef:
  444. apiGroup: rbac.authorization.k8s.io
  445. kind: Role
  446. name: {{ include "external-secrets.fullname" . }}-leaderelection
  447. subjects:
  448. - kind: ServiceAccount
  449. name: {{ include "external-secrets.serviceAccountName" . }}
  450. namespace: {{ template "external-secrets.namespace" . }}
  451. {{- if .Values.rbac.servicebindings.create }}
  452. ---
  453. apiVersion: rbac.authorization.k8s.io/v1
  454. kind: ClusterRole
  455. metadata:
  456. name: {{ include "external-secrets.fullname" . }}-servicebindings
  457. labels:
  458. servicebinding.io/controller: "true"
  459. {{- include "external-secrets.labels" . | nindent 4 }}
  460. rules:
  461. - apiGroups:
  462. - "external-secrets.io"
  463. resources:
  464. - "externalsecrets"
  465. {{- if .Values.processPushSecret }}
  466. - "pushsecrets"
  467. {{- end }}
  468. verbs:
  469. - "get"
  470. - "list"
  471. - "watch"
  472. {{- end }}
  473. {{- end }}
  474. {{- if .Values.systemAuthDelegator }}
  475. ---
  476. apiVersion: rbac.authorization.k8s.io/v1
  477. kind: ClusterRoleBinding
  478. metadata:
  479. name: {{ include "external-secrets.fullname" . }}-auth-delegator
  480. labels:
  481. {{- include "external-secrets.labels" . | nindent 4 }}
  482. roleRef:
  483. apiGroup: rbac.authorization.k8s.io
  484. kind: ClusterRole
  485. name: system:auth-delegator
  486. subjects:
  487. - kind: ServiceAccount
  488. name: {{ include "external-secrets.serviceAccountName" . }}
  489. namespace: {{ template "external-secrets.namespace" . }}
  490. {{- end }}