fix serviceaccount list flowcontrol forbidden

Makefile

@@ -3,7 +3,7 @@ OS ?= $(shell $(GO) env GOOS)
 ARCH ?= $(shell $(GO) env GOARCH)
 
 IMAGE_NAME := wjiec/alidns-webhook
-IMAGE_TAG := latest
+IMAGE_TAG := $(shell cat VERSION)
 
 KUBE_VERSION=1.25.0
 

VERSION

@@ -0,0 +1 @@
+0.1.0

charts/alidns-webhook/templates/_helpers.tpl

@@ -76,5 +76,5 @@ Create the name of the service account to use
 {{- end -}}
 
 {{- define "alidns-webhook.servingCertificate" -}}
-{{ printf "%s-webhook-tls" (include "alidns-webhook.fullname" .) }}
+{{ printf "%s-tls" (include "alidns-webhook.fullname" .) }}
 {{- end -}}

charts/alidns-webhook/templates/deployment.yaml

@@ -26,7 +26,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - --tls-cert-file=/tls/tls.crt

charts/alidns-webhook/templates/rbac.yaml

@@ -7,7 +7,7 @@ metadata:
     {{- include "alidns-webhook.labels" . | nindent 4 }}
 ---
 # Grant the webhook permission to read the ConfigMap containing the Kubernetes
-# apiserver's requestheader-ca-certificate.
+# apiserver"s requestheader-ca-certificate.
 # This ConfigMap is automatically created by the Kubernetes apiserver.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -44,6 +44,36 @@ subjects:
     name: {{ include "alidns-webhook.fullname" . }}
     namespace: {{ .Release.Namespace }}
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "alidns-webhook.fullname" . }}:flowcontrol
+  labels:
+    {{- include "alidns-webhook.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - flowcontrol.apiserver.k8s.io
+    resources:
+      - "*"
+    verbs:
+      - "list"
+      - "get"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "alidns-webhook.fullname" . }}:flowcontrol
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "alidns-webhook.fullname" . }}:flowcontrol
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "alidns-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
 # Grant cert-manager permission to validate using our apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -55,9 +85,9 @@ rules:
   - apiGroups:
       - {{ .Values.groupName }}
     resources:
-      - '*'
+      - "*"
     verbs:
-      - 'create'
+      - "create"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -74,3 +104,33 @@ subjects:
     kind: ServiceAccount
     name: {{ .Values.certManager.serviceAccountName }}
     namespace: {{ .Values.certManager.namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "alidns-webhook.fullname" . }}:secrets
+  labels:
+    {{- include "alidns-webhook.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs:
+      - "get"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "alidns-webhook.fullname" . }}:secrets
+  labels:
+    {{- include "alidns-webhook.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: ""
+  kind: ClusterRole
+  name: {{ include "alidns-webhook.fullname" . }}:secrets
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "alidns-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}

charts/alidns-webhook/values.yaml

@@ -18,7 +18,7 @@ replicaCount: 1
 
 image:
   repository: wjiec/alidns-webhook
-  tag: latest
+  tag: ""
   pullPolicy: IfNotPresent
 
 nameOverride: ""