add rbac.secret.write

`rbac.secret.write` enables cluster wide create and update access to secrets. Acme needs this access to write new issued certificates.
haproxy-ingress · Oct 31, 2020 · e87e9f1 · e87e9f1
1 parent c455f75
commit e87e9f1
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/haproxy-ingress/README.md b/haproxy-ingress/README.md
@@ -64,6 +64,7 @@ The following table lists the configurable parameters of the HAProxy Ingress cha
 Parameter | Description | Default
 --- | --- | ---
 `rbac.create` | If true, create & use RBAC resources | `true`
+`rbac.secret.write` | If true, and rbac.create is true, add write access to secrets, used by acme | `false`
 `rbac.security.enable` | If true, and rbac.create is true, create & use PSP resources | `false`
 `serviceAccount.create` | If true, create serviceAccount | `true`
 `serviceAccount.name` | ServiceAccount to be used | ``

diff --git a/haproxy-ingress/templates/clusterrole.yaml b/haproxy-ingress/templates/clusterrole.yaml
@@ -39,6 +39,15 @@ rules:
       - get
       - list
       - watch
+{{- if .Values.rbac.secret.write }}
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - update
+{{- end }}
   - apiGroups:
       - ""
     resources:

diff --git a/haproxy-ingress/values.yaml b/haproxy-ingress/values.yaml
@@ -1,6 +1,8 @@
 # Enable RBAC
 rbac:
   create: true
+  secret:
+    write: false
   security:
     enable: false