chore(cert-manager): reduce secret permissions (#1295)

Signed-off-by: Florian Bacher <[email protected]>

klt-cert-manager/config/rbac/role.yaml

@@ -55,9 +55,15 @@ rules:
   - secrets
   verbs:
   - create
-  - delete
-  - get
   - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - klt-certs
+  resources:
+  - secrets
+  verbs:
+  - get
   - patch
   - update
-  - watch

klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go

@@ -37,7 +37,8 @@ type KeptnWebhookCertificateReconciler struct {
 // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch;
 
 //role
-// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;update;patch,resourceNames=klt-certs
+// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=create;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -98,7 +99,6 @@ func (r *KeptnWebhookCertificateReconciler) SetupWithManager(mgr ctrl.Manager) e
 		WithEventFilter(eventfilter.ForLabelsAndNamespace(labels.SelectorFromSet(r.MatchLabels), r.Namespace)).
 		Owns(&corev1.Secret{}).
 		Complete(r)
-
 }
 
 func (r *KeptnWebhookCertificateReconciler) setCertificates(ctx context.Context, certSecret *certificateSecret) error {