--- /dev/null
+{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ .Release.namespace }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ # Defaults to "<election-id>-<ingress-class>"
+ # Here: "<kong-ingress-controller-leader-nginx>-<nginx>"
+ # This has to be adapted if you change either parameter
+ # when launching the nginx-ingress-controller.
+ - "kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}"
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "kong.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ name: {{ template "kong.fullname" . }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - "extensions"
+ - "networking.k8s.io"
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - "extensions"
+ - "networking.k8s.io"
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - "configuration.konghq.com"
+ resources:
+ - kongplugins
+ - kongcredentials
+ - kongconsumers
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "kong.fullname" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ template "kong.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end -}}