Add poollet permissions for certificate signing

config/apiserver/rbac/bucketpool_role.yaml

@@ -16,6 +16,21 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/bucketpoolclient
+  verbs:
+  - create
 - apiGroups:
   - storage.api.onmetal.de
   resources:

config/apiserver/rbac/machinepool_role.yaml

@@ -16,6 +16,21 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/machinepoolclient
+  verbs:
+  - create
 - apiGroups:
   - compute.api.onmetal.de
   resources:

config/apiserver/rbac/volumepool_role.yaml

@@ -16,6 +16,21 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/volumepoolclient
+  verbs:
+  - create
 - apiGroups:
   - storage.api.onmetal.de
   resources:

config/bucketpoollet-broker/poollet-rbac/role.yaml

@@ -16,6 +16,21 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/bucketpoolclient
+  verbs:
+  - create
 - apiGroups:
   - storage.api.onmetal.de
   resources:

config/machinepoollet-broker/poollet-rbac/role.yaml

@@ -16,6 +16,21 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/machinepoolclient
+  verbs:
+  - create
 - apiGroups:
   - compute.api.onmetal.de
   resources:

config/volumepoollet-broker/poollet-rbac/role.yaml

@@ -16,6 +16,21 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/volumepoolclient
+  verbs:
+  - create
 - apiGroups:
   - storage.api.onmetal.de
   resources:

poollet/bucketpoollet/controllers/rbac.go

@@ -18,3 +18,5 @@ package controllers
 
 // Rules required for kubeconfig-rotation
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;list;watch
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/bucketpoolclient,verbs=create

poollet/machinepoollet/controllers/rbac.go

@@ -18,3 +18,5 @@ package controllers
 
 // Rules required for kubeconfig-rotation
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;list;watch
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/machinepoolclient,verbs=create

poollet/volumepoollet/controllers/rbac.go

@@ -18,3 +18,5 @@ package controllers
 
 // Rules required for kubeconfig-rotation
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;list;watch
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/volumepoolclient,verbs=create