rbac.yaml 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493
  1. {{- if .Values.rbac.create -}}
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  4. kind: Role
  5. {{- else }}
  6. kind: ClusterRole
  7. {{- end }}
  8. metadata:
  9. name: {{ include "external-secrets.fullname" . }}-controller
  10. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  11. namespace: {{ .Values.scopedNamespace | quote }}
  12. {{- end }}
  13. labels:
  14. {{- include "external-secrets.labels" . | nindent 4 }}
  15. rules:
  16. {{- if .Values.v2.enabled }}
  17. - apiGroups:
  18. - "provider.external-secrets.io"
  19. resources:
  20. - "kubernetes"
  21. - "awssecretsmanagers"
  22. - "fakes"
  23. verbs:
  24. - "get"
  25. - "list"
  26. - "watch"
  27. {{- end }}
  28. - apiGroups:
  29. - "external-secrets.io"
  30. resources:
  31. - "secretstores"
  32. {{- if .Values.v2.enabled }}
  33. - "providerstores"
  34. - "clusterproviderstores"
  35. - "clusterproviderclasses"
  36. {{- end }}
  37. {{- if .Values.processClusterStore }}
  38. - "clustersecretstores"
  39. {{- end }}
  40. - "externalsecrets"
  41. {{- if .Values.processClusterExternalSecret }}
  42. - "clusterexternalsecrets"
  43. {{- end }}
  44. {{- if .Values.processPushSecret }}
  45. - "pushsecrets"
  46. {{- end }}
  47. {{- if .Values.processClusterPushSecret }}
  48. - "clusterpushsecrets"
  49. {{- end }}
  50. verbs:
  51. - "get"
  52. - "list"
  53. - "watch"
  54. - apiGroups:
  55. - "external-secrets.io"
  56. resources:
  57. {{- if .Values.v2.enabled }}
  58. - "providerstores"
  59. - "providerstores/status"
  60. - "clusterproviderstores"
  61. - "clusterproviderstores/status"
  62. - "clusterproviderclasses"
  63. - "clusterproviderclasses/status"
  64. {{- end }}
  65. - "externalsecrets"
  66. - "externalsecrets/status"
  67. {{- if .Values.openshiftFinalizers }}
  68. - "externalsecrets/finalizers"
  69. {{- end }}
  70. - "secretstores"
  71. - "secretstores/status"
  72. {{- if .Values.openshiftFinalizers }}
  73. - "secretstores/finalizers"
  74. {{- end }}
  75. {{- if .Values.processClusterStore }}
  76. - "clustersecretstores"
  77. - "clustersecretstores/status"
  78. {{- if .Values.openshiftFinalizers }}
  79. - "clustersecretstores/finalizers"
  80. {{- end }}
  81. {{- end }}
  82. {{- if .Values.processClusterExternalSecret }}
  83. - "clusterexternalsecrets"
  84. - "clusterexternalsecrets/status"
  85. {{- if .Values.openshiftFinalizers }}
  86. - "clusterexternalsecrets/finalizers"
  87. {{- end }}
  88. {{- end }}
  89. {{- if .Values.processPushSecret }}
  90. - "pushsecrets"
  91. - "pushsecrets/status"
  92. {{- if .Values.openshiftFinalizers }}
  93. - "pushsecrets/finalizers"
  94. {{- end }}
  95. {{- end }}
  96. {{- if .Values.processClusterPushSecret }}
  97. - "clusterpushsecrets"
  98. - "clusterpushsecrets/status"
  99. {{- if .Values.openshiftFinalizers }}
  100. - "clusterpushsecrets/finalizers"
  101. {{- end }}
  102. {{- end }}
  103. verbs:
  104. - "get"
  105. - "update"
  106. - "patch"
  107. - apiGroups:
  108. - "generators.external-secrets.io"
  109. resources:
  110. - "generatorstates"
  111. verbs:
  112. - "get"
  113. - "list"
  114. - "watch"
  115. - "create"
  116. - "update"
  117. - "patch"
  118. - "delete"
  119. - "deletecollection"
  120. - apiGroups:
  121. - "generators.external-secrets.io"
  122. resources:
  123. - "acraccesstokens"
  124. - "cloudsmithaccesstokens"
  125. {{- if .Values.processClusterGenerator }}
  126. - "clustergenerators"
  127. {{- end }}
  128. - "ecrauthorizationtokens"
  129. - "fakes"
  130. - "gcraccesstokens"
  131. - "githubaccesstokens"
  132. - "quayaccesstokens"
  133. - "passwords"
  134. - "sshkeys"
  135. - "stssessiontokens"
  136. - "uuids"
  137. - "vaultdynamicsecrets"
  138. - "webhooks"
  139. - "grafanas"
  140. - "mfas"
  141. verbs:
  142. - "get"
  143. - "list"
  144. - "watch"
  145. - apiGroups:
  146. - ""
  147. resources:
  148. - "serviceaccounts"
  149. - "namespaces"
  150. verbs:
  151. - "get"
  152. - "list"
  153. - "watch"
  154. {{- if .Values.processClusterExternalSecret }}
  155. - apiGroups:
  156. - ""
  157. resources:
  158. - "namespaces"
  159. verbs:
  160. - "update"
  161. - "patch"
  162. {{- end }}
  163. - apiGroups:
  164. - ""
  165. resources:
  166. - "configmaps"
  167. verbs:
  168. - "get"
  169. - "list"
  170. - "watch"
  171. - apiGroups:
  172. - ""
  173. resources:
  174. - "secrets"
  175. verbs:
  176. - "get"
  177. - "list"
  178. - "watch"
  179. - "create"
  180. - "update"
  181. - "delete"
  182. - "patch"
  183. {{- if .Values.genericTargets.enabled }}
  184. # Generic target permissions (ConfigMaps)
  185. - apiGroups:
  186. - ""
  187. resources:
  188. - "configmaps"
  189. verbs:
  190. - "create"
  191. - "update"
  192. - "delete"
  193. - "patch"
  194. {{- range .Values.genericTargets.resources }}
  195. # Custom resource permissions for non-Secret targets
  196. - apiGroups:
  197. - {{ .apiGroup | quote }}
  198. resources:
  199. {{- range .resources }}
  200. - {{ . | quote }}
  201. {{- end }}
  202. verbs:
  203. {{- range .verbs }}
  204. - {{ . | quote }}
  205. {{- end }}
  206. {{- end }}
  207. {{- end }}
  208. - apiGroups:
  209. - ""
  210. resources:
  211. - "serviceaccounts/token"
  212. verbs:
  213. - "create"
  214. - apiGroups:
  215. - ""
  216. resources:
  217. - "events"
  218. verbs:
  219. - "create"
  220. - "patch"
  221. - apiGroups:
  222. - "external-secrets.io"
  223. resources:
  224. - "externalsecrets"
  225. verbs:
  226. - "create"
  227. - "update"
  228. - "delete"
  229. {{- if .Values.processPushSecret }}
  230. - apiGroups:
  231. - "external-secrets.io"
  232. resources:
  233. - "pushsecrets"
  234. verbs:
  235. - "create"
  236. - "update"
  237. - "delete"
  238. {{- end }}
  239. ---
  240. apiVersion: rbac.authorization.k8s.io/v1
  241. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  242. kind: Role
  243. {{- else }}
  244. kind: ClusterRole
  245. {{- end }}
  246. metadata:
  247. name: {{ include "external-secrets.fullname" . }}-view
  248. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  249. namespace: {{ .Values.scopedNamespace | quote }}
  250. {{- end }}
  251. labels:
  252. {{- include "external-secrets.labels" . | nindent 4 }}
  253. {{- if .Values.rbac.aggregateToView }}
  254. rbac.authorization.k8s.io/aggregate-to-view: "true"
  255. {{- end }}
  256. {{- if .Values.rbac.aggregateToEdit }}
  257. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  258. {{- end }}
  259. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  260. rules:
  261. - apiGroups:
  262. - "external-secrets.io"
  263. resources:
  264. - "externalsecrets"
  265. - "secretstores"
  266. {{- if .Values.v2.enabled }}
  267. - "providers"
  268. - "clusterproviders"
  269. {{- end }}
  270. {{- if .Values.processClusterStore }}
  271. - "clustersecretstores"
  272. {{- end }}
  273. {{- if .Values.processPushSecret }}
  274. - "pushsecrets"
  275. {{- end }}
  276. {{- if .Values.processClusterPushSecret }}
  277. - "clusterpushsecrets"
  278. {{- end }}
  279. verbs:
  280. - "get"
  281. - "watch"
  282. - "list"
  283. - apiGroups:
  284. - "generators.external-secrets.io"
  285. resources:
  286. - "acraccesstokens"
  287. - "cloudsmithaccesstokens"
  288. {{- if .Values.processClusterGenerator }}
  289. - "clustergenerators"
  290. {{- end }}
  291. - "ecrauthorizationtokens"
  292. - "fakes"
  293. - "gcraccesstokens"
  294. - "githubaccesstokens"
  295. - "quayaccesstokens"
  296. - "passwords"
  297. - "sshkeys"
  298. - "vaultdynamicsecrets"
  299. - "webhooks"
  300. - "grafanas"
  301. - "generatorstates"
  302. - "mfas"
  303. - "uuids"
  304. verbs:
  305. - "get"
  306. - "watch"
  307. - "list"
  308. ---
  309. apiVersion: rbac.authorization.k8s.io/v1
  310. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  311. kind: Role
  312. {{- else }}
  313. kind: ClusterRole
  314. {{- end }}
  315. metadata:
  316. name: {{ include "external-secrets.fullname" . }}-edit
  317. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  318. namespace: {{ .Values.scopedNamespace | quote }}
  319. {{- end }}
  320. labels:
  321. {{- include "external-secrets.labels" . | nindent 4 }}
  322. {{- if .Values.rbac.aggregateToEdit }}
  323. rbac.authorization.k8s.io/aggregate-to-edit: "true"
  324. {{- end }}
  325. rbac.authorization.k8s.io/aggregate-to-admin: "true"
  326. rules:
  327. - apiGroups:
  328. - "external-secrets.io"
  329. resources:
  330. - "externalsecrets"
  331. - "secretstores"
  332. {{- if .Values.v2.enabled }}
  333. - "providers"
  334. - "clusterproviders"
  335. {{- end }}
  336. {{- if .Values.processClusterStore }}
  337. - "clustersecretstores"
  338. {{- end }}
  339. {{- if .Values.processPushSecret }}
  340. - "pushsecrets"
  341. {{- end }}
  342. {{- if .Values.processClusterPushSecret }}
  343. - "clusterpushsecrets"
  344. {{- end }}
  345. verbs:
  346. - "create"
  347. - "delete"
  348. - "deletecollection"
  349. - "patch"
  350. - "update"
  351. - apiGroups:
  352. - "generators.external-secrets.io"
  353. resources:
  354. - "acraccesstokens"
  355. - "cloudsmithaccesstokens"
  356. {{- if .Values.processClusterGenerator }}
  357. - "clustergenerators"
  358. {{- end }}
  359. - "ecrauthorizationtokens"
  360. - "fakes"
  361. - "gcraccesstokens"
  362. - "githubaccesstokens"
  363. - "quayaccesstokens"
  364. - "passwords"
  365. - "sshkeys"
  366. - "vaultdynamicsecrets"
  367. - "webhooks"
  368. - "grafanas"
  369. - "generatorstates"
  370. - "mfas"
  371. - "uuids"
  372. verbs:
  373. - "create"
  374. - "delete"
  375. - "deletecollection"
  376. - "patch"
  377. - "update"
  378. ---
  379. apiVersion: rbac.authorization.k8s.io/v1
  380. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  381. kind: RoleBinding
  382. {{- else }}
  383. kind: ClusterRoleBinding
  384. {{- end }}
  385. metadata:
  386. name: {{ include "external-secrets.fullname" . }}-controller
  387. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  388. namespace: {{ .Values.scopedNamespace | quote }}
  389. {{- end }}
  390. labels:
  391. {{- include "external-secrets.labels" . | nindent 4 }}
  392. roleRef:
  393. apiGroup: rbac.authorization.k8s.io
  394. {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  395. kind: Role
  396. {{- else }}
  397. kind: ClusterRole
  398. {{- end }}
  399. name: {{ include "external-secrets.fullname" . }}-controller
  400. subjects:
  401. - name: {{ include "external-secrets.serviceAccountName" . }}
  402. namespace: {{ template "external-secrets.namespace" . }}
  403. kind: ServiceAccount
  404. ---
  405. apiVersion: rbac.authorization.k8s.io/v1
  406. kind: Role
  407. metadata:
  408. name: {{ include "external-secrets.fullname" . }}-leaderelection
  409. namespace: {{ template "external-secrets.namespace" . }}
  410. labels:
  411. {{- include "external-secrets.labels" . | nindent 4 }}
  412. rules:
  413. - apiGroups:
  414. - ""
  415. resources:
  416. - "configmaps"
  417. resourceNames:
  418. - "external-secrets-controller"
  419. verbs:
  420. - "get"
  421. - "update"
  422. - "patch"
  423. - apiGroups:
  424. - ""
  425. resources:
  426. - "configmaps"
  427. verbs:
  428. - "create"
  429. - apiGroups:
  430. - "coordination.k8s.io"
  431. resources:
  432. - "leases"
  433. verbs:
  434. - "get"
  435. - "create"
  436. - "update"
  437. - "patch"
  438. ---
  439. apiVersion: rbac.authorization.k8s.io/v1
  440. kind: RoleBinding
  441. metadata:
  442. name: {{ include "external-secrets.fullname" . }}-leaderelection
  443. namespace: {{ template "external-secrets.namespace" . }}
  444. labels:
  445. {{- include "external-secrets.labels" . | nindent 4 }}
  446. roleRef:
  447. apiGroup: rbac.authorization.k8s.io
  448. kind: Role
  449. name: {{ include "external-secrets.fullname" . }}-leaderelection
  450. subjects:
  451. - kind: ServiceAccount
  452. name: {{ include "external-secrets.serviceAccountName" . }}
  453. namespace: {{ template "external-secrets.namespace" . }}
  454. {{- if .Values.rbac.servicebindings.create }}
  455. ---
  456. apiVersion: rbac.authorization.k8s.io/v1
  457. kind: ClusterRole
  458. metadata:
  459. name: {{ include "external-secrets.fullname" . }}-servicebindings
  460. labels:
  461. servicebinding.io/controller: "true"
  462. {{- include "external-secrets.labels" . | nindent 4 }}
  463. rules:
  464. - apiGroups:
  465. - "external-secrets.io"
  466. resources:
  467. - "externalsecrets"
  468. {{- if .Values.processPushSecret }}
  469. - "pushsecrets"
  470. {{- end }}
  471. verbs:
  472. - "get"
  473. - "list"
  474. - "watch"
  475. {{- end }}
  476. {{- end }}
  477. {{- if .Values.systemAuthDelegator }}
  478. ---
  479. apiVersion: rbac.authorization.k8s.io/v1
  480. kind: ClusterRoleBinding
  481. metadata:
  482. name: {{ include "external-secrets.fullname" . }}-auth-delegator
  483. labels:
  484. {{- include "external-secrets.labels" . | nindent 4 }}
  485. roleRef:
  486. apiGroup: rbac.authorization.k8s.io
  487. kind: ClusterRole
  488. name: system:auth-delegator
  489. subjects:
  490. - kind: ServiceAccount
  491. name: {{ include "external-secrets.serviceAccountName" . }}
  492. namespace: {{ template "external-secrets.namespace" . }}
  493. {{- end }}