add rbac for leases, add namespace to cluster issuer

Signed-off-by: Tobias Gurtzick <magic@wizardtales.com> Signed-off-by: Christian Wolf <bc.christianwolf@googlemail.com>

add rbac for leases, add namespace to cluster issuer
5856bcca · Christian Wolf · Tobias Gurtzick · e4c0e6a1 · 5856bcca · 5856bcca
Unverified Commit 5856bcca authored 3 years ago by Christian Wolf Committed by Tobias Gurtzick 3 years ago
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -66,3 +66,12 @@ rules:
  - create
  - get
  - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
--- a/controllers/stepclusterissuer_controller.go
+++ b/controllers/stepclusterissuer_controller.go
@@ -43,6 +43,7 @@ type StepClusterIssuerReconciler struct {
 // +kubebuilder:rbac:groups=certmanager.step.sm,resources=stepclusterissuers/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
+// +kubebuilder:rbac:groups="coordination.k8s.io",resources=leases,verbs=create;get;list;update

 // Reconcile will read and validate the StepClusterIssuer resources, it will set the
 // status condition ready to true if everything is right.
@@ -68,6 +69,7 @@ func (r *StepClusterIssuerReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		Namespace: req.Namespace,
 		Name:      iss.Spec.Provisioner.PasswordRef.Name,
 	}
+	log.Info("secretNamespaceName", secretNamespaceName)
 	if err := r.Client.Get(ctx, secretNamespaceName, &secret); err != nil {
 		log.Error(err, "failed to retrieve StepClusterIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
 		if apierrors.IsNotFound(err) {