From ced4077612979ff75d476b739a4f0977227f141c Mon Sep 17 00:00:00 2001
From: macmacs <macmacs@users.noreply.github.com>
Date: Sat, 16 Sep 2017 13:16:21 +0200
Subject: [PATCH 1/5] Update letsencrypt-clusterrole.yaml

---
 letsencrypt-clusterrole.yaml | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/letsencrypt-clusterrole.yaml b/letsencrypt-clusterrole.yaml
index 673dbda..cccd6e4 100644
--- a/letsencrypt-clusterrole.yaml
+++ b/letsencrypt-clusterrole.yaml
@@ -2,17 +2,28 @@ apiVersion: v1
 kind: ClusterRole
 metadata:
   name: letsencrypt
+  labels:
+    app: letsencrypt
 rules:
 - apiGroups:
   - ""
-  attributeRestrictions: null
+  - "route.openshift.io"
   resources:
+  - endpoints
+  - endpoints/restricted
+  - events
   - routes
+  - routes/custom-host
+  - routes/status
+  - secrets
+  - services
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch

From 6607b100634a42b8299ad5b4acaa2f0f4fc49b22 Mon Sep 17 00:00:00 2001
From: macmacs <macmacs@users.noreply.github.com>
Date: Sat, 16 Sep 2017 13:17:14 +0200
Subject: [PATCH 2/5] Update Readme.md

---
 Readme.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Readme.md b/Readme.md
index 229d9ee..ba5c3c2 100644
--- a/Readme.md
+++ b/Readme.md
@@ -81,7 +81,8 @@ Instanciate the template.
 The "letsencrypt" service account needs to be able to manage its secrets and manage routes.
 
 ```
-> oc policy add-role-to-user edit -z letsencrypt
+> oc adm policy add-role-to-user edit -z letsencrypt
+> oc adm policy add-cluster-role-to-user letsencrypt system:serviceaccount:<PROJECT>:letsencrypt
 ```
 
 ### Let's encrypt credentials

From 6cabc6417d5f45cb7831de413796afc2cd2b6138 Mon Sep 17 00:00:00 2001
From: macmacs <macmacs@users.noreply.github.com>
Date: Sat, 16 Sep 2017 13:19:06 +0200
Subject: [PATCH 3/5] Update Readme.md

---
 Readme.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Readme.md b/Readme.md
index ba5c3c2..160d7be 100644
--- a/Readme.md
+++ b/Readme.md
@@ -82,6 +82,12 @@ The "letsencrypt" service account needs to be able to manage its secrets and man
 
 ```
 > oc adm policy add-role-to-user edit -z letsencrypt
+```
+
+Add the `letsencrypt` clusterrole:
+
+```
+> oc create -f letsencrypt-clusterrole.yaml
 > oc adm policy add-cluster-role-to-user letsencrypt system:serviceaccount:<PROJECT>:letsencrypt
 ```
 

From 8dca167c19e9385b8c2eac560541efa833ee7d83 Mon Sep 17 00:00:00 2001
From: macmacs <macmacs@users.noreply.github.com>
Date: Sat, 16 Sep 2017 16:26:14 +0200
Subject: [PATCH 4/5] Serviceaccount creation optimized

---
 Readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Readme.md b/Readme.md
index 160d7be..148346b 100644
--- a/Readme.md
+++ b/Readme.md
@@ -88,7 +88,7 @@ Add the `letsencrypt` clusterrole:
 
 ```
 > oc create -f letsencrypt-clusterrole.yaml
-> oc adm policy add-cluster-role-to-user letsencrypt system:serviceaccount:<PROJECT>:letsencrypt
+> oc adm policy add-cluster-role-to-user letsencrypt system:serviceaccount:`oc project -q`:letsencrypt
 ```
 
 ### Let's encrypt credentials

From cf7b1f299252bb5b3050fe13d892d9439213f628 Mon Sep 17 00:00:00 2001
From: macmacs <macmacs@users.noreply.github.com>
Date: Sun, 17 Sep 2017 10:58:36 +0200
Subject: [PATCH 5/5] Removed: endpoints, services, events and secrets

Works too :)
---
 letsencrypt-clusterrole.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/letsencrypt-clusterrole.yaml b/letsencrypt-clusterrole.yaml
index cccd6e4..21a55e7 100644
--- a/letsencrypt-clusterrole.yaml
+++ b/letsencrypt-clusterrole.yaml
@@ -9,14 +9,9 @@ rules:
   - ""
   - "route.openshift.io"
   resources:
-  - endpoints
-  - endpoints/restricted
-  - events
   - routes
   - routes/custom-host
   - routes/status
-  - secrets
-  - services
   verbs:
   - '*'
 - apiGroups: