added permissions for managing ingresses

brandnewbox · Jun 16, 2022 · c1092ce · c1092ce
1 parent a41b1d0
commit c1092ce
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -116,14 +116,13 @@ module "cert_manager" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.8, < 2.0.0 |
-| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.6.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.6.1 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.8.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.3 |
 
 ## Modules
 
@@ -146,12 +145,18 @@ module "cert_manager" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cainjector_image_name"></a> [cainjector\_image\_name](#input\_cainjector\_image\_name) | n/a | `string` | `"jetstack/cert-manager-cainjector"` | no |
+| <a name="input_cainjector_image_tag"></a> [cainjector\_image\_tag](#input\_cainjector\_image\_tag) | n/a | `string` | `"v1.8.1"` | no |
 | <a name="input_certificate_issuers"></a> [certificate\_issuers](#input\_certificate\_issuers) | An object that contains the configuration for all the enabled certificate issuers. | <pre>object({<br>    letsencrypt = object({<br>      name : string,<br>      server : string,<br>      email : string,<br>      secret_base64_key : string,<br>      default_issuer : bool,<br>      ingress_class : string<br>    })<br>    # TODO: Add support for another one so this doesnt look so silly<br>  })</pre> | <pre>{<br>  "letsencrypt": null<br>}</pre> | no |
 | <a name="input_image_pull_policy"></a> [image\_pull\_policy](#input\_image\_pull\_policy) | Determines when the image should be pulled prior to starting the container. `Always`: Always pull the image. \| `IfNotPresent`: Only pull the image if it does not already exist on the node. \| `Never`: Never pull the image | `string` | `"Always"` | no |
 | <a name="input_image_repository"></a> [image\_repository](#input\_image\_repository) | The image repository to use when pulling images | `string` | `null` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | (optional) A map that consists of any additional labels that should be included with resources created by this module. | `map(string)` | `{}` | no |
+| <a name="input_manager_image_name"></a> [manager\_image\_name](#input\_manager\_image\_name) | n/a | `string` | `"jetstack/cert-manager-controller"` | no |
+| <a name="input_manager_image_tag"></a> [manager\_image\_tag](#input\_manager\_image\_tag) | n/a | `string` | `"v1.8.1"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace that Cert-Manager will reside in. | `string` | `"cert-manager"` | no |
 | <a name="input_namespace_annotations"></a> [namespace\_annotations](#input\_namespace\_annotations) | Additional namespace annotations. | `map(string)` | `{}` | no |
+| <a name="input_webhook_image_name"></a> [webhook\_image\_name](#input\_webhook\_image\_name) | n/a | `string` | `"jetstack/cert-manager-webhook"` | no |
+| <a name="input_webhook_image_tag"></a> [webhook\_image\_tag](#input\_webhook\_image\_tag) | n/a | `string` | `"v1.8.1"` | no |
 
 ## Outputs
 

diff --git a/cert-manager/cluster-roles.tf b/cert-manager/cluster-roles.tf
@@ -263,7 +263,7 @@ resource "kubernetes_cluster_role" "challenges_cluster_role" {
     verbs = ["get", "list", "watch", "create", "delete"]
   }
   rule {
-    api_groups = ["extensions"]
+    api_groups = ["extensions", "networking.k8s.io"]
     resources = [
       "ingresses"
     ]
@@ -315,7 +315,7 @@ resource "kubernetes_cluster_role" "ingress_shim_cluster_role" {
     verbs = ["get", "list", "watch"]
   }
   rule {
-    api_groups = ["extensions"]
+    api_groups = ["extensions", "networking.k8s.io"]
     resources = [
       "ingresses"
     ]
@@ -325,7 +325,7 @@ resource "kubernetes_cluster_role" "ingress_shim_cluster_role" {
   # admission controller enabled:
   # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
   rule {
-    api_groups = ["extensions"]
+    api_groups = ["extensions", "networking.k8s.io"]
     resources = [
       "ingresses/finalizers"
     ]