{{- if eq .Values.secretManager "eso" -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: external-secret-integration labels: {{- include "cd-pipeline-operator.labels" . | nindent 4 }} rules: - apiGroups: [ "" ] resources: - secrets verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - selfsubjectrulesreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: manage-external-secret-integration labels: {{- include "cd-pipeline-operator.labels" . | nindent 4 }} rules: - apiGroups: [ "rbac.authorization.k8s.io" ] resources: - roles - rolebindings verbs: - get - list - watch - update - patch - delete - create - escalate - bind --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: manage-external-secret-integration-binding labels: {{- include "cd-pipeline-operator.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: manage-external-secret-integration subjects: - kind: ServiceAccount name: edp-{{ .Values.name }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: {{- include "cd-pipeline-operator.labels" . | nindent 4 }} name: external-secrets-manager-{{ .Release.Namespace }} rules: - apiGroups: - external-secrets.io resources: - secretstores - externalsecrets verbs: - get - list - watch - update - patch - delete - create - apiGroups: - "" resources: - serviceaccounts verbs: - get - list - watch - update - patch - delete - create - escalate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: {{- include "cd-pipeline-operator.labels" . | nindent 4 }} name: external-secrets-manager-rolebinding-{{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: external-secrets-manager-{{ .Release.Namespace }} subjects: - kind: ServiceAccount name: edp-{{ .Values.name }} namespace: {{ .Release.Namespace }} {{- end -}}