Allow API gateway controller to manage roles + bindings

charts/consul/templates/api-gateway-controller-clusterrole.yaml

@@ -11,6 +11,24 @@ metadata:
     release: {{ .Release.Name }}
     component: api-gateway-controller
 rules:
+{{- if .Values.global.enablePodSecurityPolicies }}
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+{{- end}}
 - apiGroups:
   - api-gateway.consul.hashicorp.com
   resources:

charts/consul/templates/api-gateway-gatewayclassconfig.yaml

@@ -15,6 +15,9 @@ spec:
       {{- if .Values.global.acls.manageSystemACLs }}
       managed: true
       method: {{ template "consul.fullname" . }}-k8s-auth-method
+      {{- if .Values.global.enablePodSecurityPolicies }}
+      podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway
+      {{- end }}
       {{- end }}
     {{- if .Values.global.tls.enabled }}
     scheme: https