From 12df0a5257cfafba68b197336d2c6c8f5044f27e Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 15 Apr 2021 20:57:27 +0200 Subject: [PATCH] upgrade sealed secrets controller --- sealed-secrets/controller.yaml | 330 +++++++++++++++++---------------- 1 file changed, 170 insertions(+), 160 deletions(-) diff --git a/sealed-secrets/controller.yaml b/sealed-secrets/controller.yaml index 8348ec9..8e1de85 100644 --- a/sealed-secrets/controller.yaml +++ b/sealed-secrets/controller.yaml @@ -1,129 +1,4 @@ --- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -spec: - minReadySeconds: 30 - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - name: sealed-secrets-controller - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - annotations: {} - labels: - name: sealed-secrets-controller - spec: - containers: - - args: [] - command: - - controller - env: [] - image: quay.io/bitnami/sealed-secrets-controller:v0.12.5 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: http - name: sealed-secrets-controller - ports: - - containerPort: 8080 - name: http - readinessProbe: - httpGet: - path: /healthz - port: http - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1001 - stdin: false - tty: false - volumeMounts: - - mountPath: /tmp - name: tmp - imagePullSecrets: [] - initContainers: [] - securityContext: - fsGroup: 65534 - serviceAccountName: sealed-secrets-controller - terminationGracePeriodSeconds: 30 - volumes: - - emptyDir: {} - name: tmp ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: sealedsecrets.bitnami.com -spec: - group: bitnami.com - names: - kind: SealedSecret - listKind: SealedSecretList - plural: sealedsecrets - singular: sealedsecret - scope: Namespaced - subresources: - status: {} - version: v1alpha1 ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - annotations: {} - labels: - name: sealed-secrets-service-proxier - name: sealed-secrets-service-proxier - namespace: sealed-secrets -rules: -- apiGroups: - - "" - resourceNames: - - 'http:sealed-secrets-controller:' - - sealed-secrets-controller - resources: - - services/proxy - verbs: - - create - - get ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -spec: - ports: - - port: 8080 - targetPort: 8080 - selector: - name: sealed-secrets-controller - type: ClusterIP ---- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: @@ -131,7 +6,7 @@ metadata: labels: name: sealed-secrets-service-proxier name: sealed-secrets-service-proxier - namespace: sealed-secrets + namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -142,30 +17,13 @@ subjects: name: system:authenticated --- apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: sealed-secrets-key-admin -subjects: -- kind: ServiceAccount - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: annotations: {} labels: name: sealed-secrets-key-admin name: sealed-secrets-key-admin - namespace: sealed-secrets + namespace: kube-system rules: - apiGroups: - "" @@ -176,22 +34,6 @@ rules: - list --- apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: secrets-unsealer -subjects: -- kind: ServiceAccount - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: annotations: {} @@ -229,3 +71,171 @@ rules: verbs: - create - patch +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +spec: + minReadySeconds: 30 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: sealed-secrets-controller + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + annotations: {} + labels: + name: sealed-secrets-controller + spec: + containers: + - args: [] + command: + - controller + env: [] + image: quay.io/bitnami/sealed-secrets-controller:v0.15.0 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: http + name: sealed-secrets-controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /healthz + port: http + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + stdin: false + tty: false + volumeMounts: + - mountPath: /tmp + name: tmp + imagePullSecrets: [] + initContainers: [] + securityContext: + fsGroup: 65534 + serviceAccountName: sealed-secrets-controller + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: tmp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sealedsecrets.bitnami.com +spec: + group: bitnami.com + names: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + name: sealed-secrets-controller + type: ClusterIP +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-unsealer +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-service-proxier + name: sealed-secrets-service-proxier + namespace: kube-system +rules: +- apiGroups: + - "" + resourceNames: + - 'http:sealed-secrets-controller:' + - sealed-secrets-controller + resources: + - services/proxy + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-key-admin +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system