Add tokenrequest RBAC for operator controller manager

lunarwhite · lunarwhite · commit e8fddafaca25 · 2025-06-04T11:51:23.000+08:00
diff --git a/bundle/manifests/cert-manager-operator.clusterserviceversion.yaml b/bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
@@ -332,6 +332,12 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - serviceaccounts/token
+          verbs:
+          - create
         - apiGroups:
           - acme.cert-manager.io
           resources:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -22,6 +22,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 - apiGroups:
   - acme.cert-manager.io
   resources:
diff --git a/pkg/controller/deployment/certmanager_controller.go b/pkg/controller/deployment/certmanager_controller.go
@@ -43,6 +43,7 @@ type CertManagerReconciler struct {
 // TODO clusterpermissions carried over as is, need to be reduced
 //+kubebuilder:rbac:groups="",resources=pods;secrets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="",resources=events;services;namespaces;serviceaccounts;configmaps,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=create
 //+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles;rolebindings;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
