deploy: add kube-cert-agent deployment knobs

This commit is contained in:
Andrew Keesler 2020-09-21 14:16:32 -04:00
parent 5a608cc84c
commit e18b6fdddc
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
2 changed files with 12 additions and 5 deletions

View File

@ -38,6 +38,13 @@ data:
servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @) servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @)
credentialIssuerConfig: (@= data.values.app_name + "-config" @) credentialIssuerConfig: (@= data.values.app_name + "-config" @)
apiService: (@= data.values.app_name + "-api" @) apiService: (@= data.values.app_name + "-api" @)
kubeCertAgent:
namePrefix: (@= data.values.app_name + "-kube-cert-agent-" @)
(@ if data.values.image_digest: @)
image: (@= data.values.image_repo + "@" + data.values.image_digest @)
(@ else: @)
image: (@= data.values.image_repo + ":" + data.values.image_tag @)
(@ end @)
--- ---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1 apiVersion: v1

View File

@ -65,17 +65,17 @@ roleRef:
name: #@ data.values.app_name + "-aggregated-api-server" name: #@ data.values.app_name + "-aggregated-api-server"
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key #! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: #@ data.values.app_name + "-kube-system-pod-exec" name: #@ data.values.app_name + "-kube-system-pod-read-write"
namespace: kube-system namespace: kube-system
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: [pods] resources: [pods]
verbs: [get, list] verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: [""] - apiGroups: [""]
resources: [pods/exec] resources: [pods/exec]
verbs: [create] verbs: [create]
@ -83,7 +83,7 @@ rules:
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-kube-system-pod-exec" name: #@ data.values.app_name + "-kube-system-pod-read-write"
namespace: kube-system namespace: kube-system
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
@ -91,7 +91,7 @@ subjects:
namespace: #@ data.values.namespace namespace: #@ data.values.namespace
roleRef: roleRef:
kind: Role kind: Role
name: #@ data.values.app_name + "-kube-system-pod-exec" name: #@ data.values.app_name + "-kube-system-pod-read-write"
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests) #! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)