Add token requestor flow

charts/internal/shoot-fleet-agent-shoot/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+description: A Helm chart for shoot-fleet-agent-shoot
+name: shoot-fleet-agent-shoot
+version: 0.1.0

charts/internal/shoot-fleet-agent-shoot/templates/custom-infrastructure-rbac.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: extensions.gardener.cloud:extension-shoot-fleet-agent:shoot
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - nonResourceURLs:
+      - '*'
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: extensions.gardener.cloud:extension-shoot-fleet-agent:shoot
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: extensions.gardener.cloud:extension-shoot-fleet-agent:shoot
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.shootAccessServiceAccountName }}
+    namespace: {{ .Values.shootAccessServiceAccountNamespace }}

charts/internal/shoot-fleet-agent-shoot/values.yaml

@@ -0,0 +1,2 @@
+shootAccessServiceAccountName: ""
+shootAccessServiceAccountNamespace: kube-system