feat: improve installation with roles and bindings

Not perfect but this will help someone create the necessary bits to give
access to the webhook to use the functionality.

Signed-off-by: Doug Goldstein <[email protected]>

README.md

@@ -26,7 +26,7 @@ To uninstall you can run the following:
 helm uninstall --namespace cert-manager cert-manager-webhook-rackspace
 ```
 
-## Usage
+## Usage with ClusterIssuer
 
 To use the Rackspace Cloud DNS webhook, you must have an account with admin permissions
 to the Cloud DNS service and must know the Rackspace API key for that account.
@@ -37,21 +37,21 @@ An example secret to provide the credentials would be:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: rackspace-creds
+  name: cert-manager-webhook-rackspace-creds
+  namespace: cert-manager
 type: Opaque
 stringData:
   username: my-username-here
   api-key: my-api-key-here
 ```
 
-Then you can create an `Issuer` or a `ClusterIssuer`. An example would be:
+Then you can create a `ClusterIssuer`. An example would be:
 
 ```yaml
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
   name: letsencrypt-staging
-  namespace: cm-test
 spec:
   acme:
     # The ACME server URL
@@ -70,7 +70,9 @@ spec:
           groupName: acme.mycompany.com  # replace with the groupName you set for the helm chart
           solverName: rackspace
           config:
-            authSecretRef: rackspace-creds
+            # for a ClusterIssuer this secret will live in the cert-manager namespace
+            # and will need to be named the deployment name + "-creds"
+            authSecretRef: cert-manager-webhook-rackspace-creds
             domainName: some.domain.tld
 ```
 
@@ -87,10 +89,50 @@ spec:
     - something.some.domain.tld
   issuerRef:
     name: letsencrypt-staging
-    kind: Issuer
+    kind: ClusterIssuer
   secretName: example-cert
 ```
 
+## Usage with Issuer
+
+Using an `Issuer` is a bit more complicated since you must create
+the credentials secret in the namespace where your `Issuer` will
+live and give the `cert-manager-webhook-rackspace` ServiceAccount
+access to read it. In the example below it's assumed you'll be
+creating your secret named `name-of-secret`. Once this is
+done the steps will remain similar to the `ClusterIssuer` above.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-rackspace:secret-reader
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    resourceNames:
+      - "name-of-secret"
+    verbs:
+      - "get"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-rackspace:secret-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-rackspace:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-rackspace
+    namespace: cert-manager
+```
+
 [cert-manager]: <https://cert-manager.io>
 [webhook-solver]: <https://cert-manager.io/docs/configuration/acme/dns01/webhook/>
 [raxclouddns]: <https://docs.rackspace.com/docs/cloud-dns>

charts/cert-manager-webhook-rackspace/templates/_helpers.tpl

@@ -46,3 +46,7 @@ Create chart name and version as used by the chart label.
 {{- define "cert-manager-webhook-rackspace.servingCertificate" -}}
 {{ printf "%s-webhook-tls" (include "cert-manager-webhook-rackspace.fullname" .) }}
 {{- end -}}
+
+{{- define "cert-manager-webhook-rackspace.credSecretName" -}}
+{{ printf "%s-creds" (include "cert-manager-webhook-rackspace.fullname" .) }}
+{{- end -}}

charts/cert-manager-webhook-rackspace/templates/rbac.yaml

@@ -89,3 +89,73 @@ subjects:
     kind: ServiceAccount
     name: {{ .Values.certManager.serviceAccountName }}
     namespace: {{ .Values.certManager.namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "cert-manager-webhook-rackspace.fullname" . }}:secret-reader
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    resourceNames:
+      - {{ include "cert-manager-webhook-rackspace.credSecretName" . }}
+    verbs:
+      - "get"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager-webhook-rackspace.fullname" . }}:secret-reader
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "cert-manager-webhook-rackspace.fullname" . }}:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-webhook-rackspace.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cert-manager-webhook-rackspace.fullname" . }}:flowcontrol-solver
+  labels:
+    app: {{ include "cert-manager-webhook-rackspace.name" . }}
+    chart: {{ include "cert-manager-webhook-rackspace.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - "flowcontrol.apiserver.k8s.io"
+    resources:
+      - 'prioritylevelconfigurations'
+      - 'flowschemas'
+    verbs:
+      - 'list'
+      - 'watch'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cert-manager-webhook-rackspace.fullname" . }}:flowcontrol-solver
+  labels:
+    app: {{ include "cert-manager-webhook-rackspace.name" . }}
+    chart: {{ include "cert-manager-webhook-rackspace.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cert-manager-webhook-rackspace.fullname" . }}:flowcontrol-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-webhook-rackspace.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+---