Allow reading the secret

charts/cert-manager-duckdns-webhook/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: Helm Chart for the Cert Manager DuckDNS WebHook
 name: cert-manager-duckdns-webhook
-version: 1.1.1
+version: 1.1.2
 
 maintainers:
   - name: csp33

charts/cert-manager-duckdns-webhook/templates/rbac.yaml

@@ -89,3 +89,46 @@ subjects:
     kind: ServiceAccount
     name: {{ .Values.certManager.serviceAccountName }}
     namespace: {{ .Values.certManager.namespace }}
+
+---
+# Grant access to the token secret
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "cert-manager-duckdns-webhook.fullname" . }}:secret-reader
+  namespace: {{ .Values.certManager.namespace | quote }}
+  labels:
+    app: {{ include "cert-manager-duckdns-webhook.name" . }}
+    chart: {{ include "cert-manager-duckdns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    resourceNames:
+      - "{{ include "cert-manager-duckdns-webhook.secretName" . }}"
+    verbs:
+      - "get"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager-duckdns-webhook.fullname" . }}:secret-reader
+  namespace: {{ .Values.certManager.namespace | quote }}
+  labels:
+    app: {{ include "cert-manager-duckdns-webhook.name" . }}
+    chart: {{ include "cert-manager-duckdns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ include "cert-manager-duckdns-webhook.fullname" . }}:secret-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-duckdns-webhook.fullname" . }}
+    namespace: {{ .Values.certManager.namespace | quote }}