From e87e9f1a8460678798b10dbf8cb200d34e840800 Mon Sep 17 00:00:00 2001 From: Joao Morais Date: Wed, 28 Oct 2020 20:53:22 -0300 Subject: [PATCH] add rbac.secret.write `rbac.secret.write` enables cluster wide create and update access to secrets. Acme needs this access to write new issued certificates. --- haproxy-ingress/README.md | 1 + haproxy-ingress/templates/clusterrole.yaml | 9 +++++++++ haproxy-ingress/values.yaml | 2 ++ 3 files changed, 12 insertions(+) diff --git a/haproxy-ingress/README.md b/haproxy-ingress/README.md index 0601322..4b91e2a 100755 --- a/haproxy-ingress/README.md +++ b/haproxy-ingress/README.md @@ -64,6 +64,7 @@ The following table lists the configurable parameters of the HAProxy Ingress cha Parameter | Description | Default --- | --- | --- `rbac.create` | If true, create & use RBAC resources | `true` +`rbac.secret.write` | If true, and rbac.create is true, add write access to secrets, used by acme | `false` `rbac.security.enable` | If true, and rbac.create is true, create & use PSP resources | `false` `serviceAccount.create` | If true, create serviceAccount | `true` `serviceAccount.name` | ServiceAccount to be used | `` diff --git a/haproxy-ingress/templates/clusterrole.yaml b/haproxy-ingress/templates/clusterrole.yaml index 0a8fcf1..868999c 100644 --- a/haproxy-ingress/templates/clusterrole.yaml +++ b/haproxy-ingress/templates/clusterrole.yaml @@ -39,6 +39,15 @@ rules: - get - list - watch +{{- if .Values.rbac.secret.write }} + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +{{- end }} - apiGroups: - "" resources: diff --git a/haproxy-ingress/values.yaml b/haproxy-ingress/values.yaml index c61e43e..c1f76e3 100644 --- a/haproxy-ingress/values.yaml +++ b/haproxy-ingress/values.yaml @@ -1,6 +1,8 @@ # Enable RBAC rbac: create: true + secret: + write: false security: enable: false