djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

deploy: add kube-cert-agent deployment knobs

Browse Source
This commit is contained in:
Andrew Keesler 2020-09-21 14:16:32 -04:00
parent 5a608cc84c
commit e18b6fdddc
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
deploy/deployment.yaml
View File

@ -38,6 +38,13 @@ data:
servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @)
credentialIssuerConfig: (@= data.values.app_name + "-config" @)
apiService: (@= data.values.app_name + "-api" @)
kubeCertAgent:
namePrefix: (@= data.values.app_name + "-kube-cert-agent-" @)
(@ if data.values.image_digest: @)
image: (@= data.values.image_repo + "@" + data.values.image_digest @)
(@ else: @)
image: (@= data.values.image_repo + ":" + data.values.image_tag @)
(@ end @)
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1

10
deploy/rbac.yaml
View File

@ -65,17 +65,17 @@ roleRef:
name: #@ data.values.app_name + "-aggregated-api-server"
apiGroup: rbac.authorization.k8s.io
#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key
#! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: #@ data.values.app_name + "-kube-system-pod-exec"
name: #@ data.values.app_name + "-kube-system-pod-read-write"
namespace: kube-system
rules:
- apiGroups: [""]
resources: [pods]
verbs: [get, list]
verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: [""]
resources: [pods/exec]
verbs: [create]
@ -83,7 +83,7 @@ rules:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-kube-system-pod-exec"
name: #@ data.values.app_name + "-kube-system-pod-read-write"
namespace: kube-system
subjects:
- kind: ServiceAccount
@ -91,7 +91,7 @@ subjects:
namespace: #@ data.values.namespace
roleRef:
kind: Role
name: #@ data.values.app_name + "-kube-system-pod-exec"
name: #@ data.values.app_name + "-kube-system-pod-read-write"
apiGroup: rbac.authorization.k8s.io
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)