From ea1b19dfd321440ad0413d6b83cb196bcb850d02 Mon Sep 17 00:00:00 2001
From: Hanfei Shen <hanfei.shen@alo7.com>
Date: Wed, 4 Mar 2020 08:47:24 +0800
Subject: [PATCH] adapt changes from upstream

---
 .../templates/rbac.yaml                       | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/deploy/cert-manager-webhook-dnspod/templates/rbac.yaml b/deploy/cert-manager-webhook-dnspod/templates/rbac.yaml
index 7eb8e85..bc0de6f 100644
--- a/deploy/cert-manager-webhook-dnspod/templates/rbac.yaml
+++ b/deploy/cert-manager-webhook-dnspod/templates/rbac.yaml
@@ -24,13 +24,34 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: extension-apiserver-authentication-reader
+  name: {{ include "cert-manager-webhook-dnspod.fullname" . }}:webhook-authentication-reader
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-dnspod.fullname" . }}
     namespace: {{ .Release.Namespace }}
 ---
+# Once we no longer have to support Kubernetes versions lower than 1.17, we
+# can remove this custom defined Role in favour of the system-provisioned
+# extension-apiserver-authentication-reader Role resource in kube-system.
+# See https://github.com/kubernetes/kubernetes/issues/86359 for more details.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ include "cert-manager-webhook-dnspod.fullname" . }}:webhook-authentication-reader
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - extension-apiserver-authentication
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1beta1