deploy: add kube-cert-agent deployment knobs
This commit is contained in:
parent
5a608cc84c
commit
e18b6fdddc
@ -38,6 +38,13 @@ data:
|
|||||||
servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @)
|
servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @)
|
||||||
credentialIssuerConfig: (@= data.values.app_name + "-config" @)
|
credentialIssuerConfig: (@= data.values.app_name + "-config" @)
|
||||||
apiService: (@= data.values.app_name + "-api" @)
|
apiService: (@= data.values.app_name + "-api" @)
|
||||||
|
kubeCertAgent:
|
||||||
|
namePrefix: (@= data.values.app_name + "-kube-cert-agent-" @)
|
||||||
|
(@ if data.values.image_digest: @)
|
||||||
|
image: (@= data.values.image_repo + "@" + data.values.image_digest @)
|
||||||
|
(@ else: @)
|
||||||
|
image: (@= data.values.image_repo + ":" + data.values.image_tag @)
|
||||||
|
(@ end @)
|
||||||
---
|
---
|
||||||
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
|
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
@ -65,17 +65,17 @@ roleRef:
|
|||||||
name: #@ data.values.app_name + "-aggregated-api-server"
|
name: #@ data.values.app_name + "-aggregated-api-server"
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key
|
#! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: Role
|
kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
name: #@ data.values.app_name + "-kube-system-pod-exec"
|
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: [pods]
|
resources: [pods]
|
||||||
verbs: [get, list]
|
verbs: [create, get, list, patch, update, watch, delete]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: [pods/exec]
|
resources: [pods/exec]
|
||||||
verbs: [create]
|
verbs: [create]
|
||||||
@ -83,7 +83,7 @@ rules:
|
|||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: #@ data.values.app_name + "-kube-system-pod-exec"
|
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
@ -91,7 +91,7 @@ subjects:
|
|||||||
namespace: #@ data.values.namespace
|
namespace: #@ data.values.namespace
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: Role
|
kind: Role
|
||||||
name: #@ data.values.app_name + "-kube-system-pod-exec"
|
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
|
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
|
||||||
|
Loading…
Reference in New Issue
Block a user