35 lines
1.2 KiB
YAML
35 lines
1.2 KiB
YAML
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: authentik-read-grafana-secret
|
|
namespace: monitoring # The namespace where the secret exists
|
|
labels:
|
|
app.kubernetes.io/part-of: authentik
|
|
app.kubernetes.io/managed-by: helm
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: grafana-sso
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
resourceNames: ["authentik-client-secret-grafana"] # Grant access only to this specific secret
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: authentik-read-grafana-secret-binding
|
|
namespace: monitoring # The namespace where the secret and role exist
|
|
labels:
|
|
app.kubernetes.io/part-of: authentik
|
|
app.kubernetes.io/managed-by: helm
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: grafana-sso
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: authentik-read-grafana-secret
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "authentik.fullname" . }} # The service account used by Authentik
|
|
namespace: {{ .Release.Namespace }} # The namespace where Authentik is running
|