diff --git a/sealed-secrets/controller.yaml b/sealed-secrets/controller.yaml index d1c8a5c..32a0ab1 100644 --- a/sealed-secrets/controller.yaml +++ b/sealed-secrets/controller.yaml @@ -1,4 +1,172 @@ --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-key-admin +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-key-admin + name: sealed-secrets-key-admin + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-unsealer +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: secrets-unsealer + name: secrets-unsealer +rules: +- apiGroups: + - bitnami.com + resources: + - sealedsecrets + verbs: + - get + - list + - watch +- apiGroups: + - bitnami.com + resources: + - sealedsecrets/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + name: sealed-secrets-controller + type: ClusterIP +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-service-proxier + name: sealed-secrets-service-proxier + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-service-proxier +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-service-proxier + name: sealed-secrets-service-proxier + namespace: kube-system +rules: +- apiGroups: + - "" + resourceNames: + - sealed-secrets-controller + resources: + - services + verbs: + - get +- apiGroups: + - "" + resourceNames: + - 'http:sealed-secrets-controller:' + - http:sealed-secrets-controller:http + - sealed-secrets-controller + resources: + - services/proxy + verbs: + - create + - get +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -6,7 +174,7 @@ metadata: labels: name: sealed-secrets-controller name: sealed-secrets-controller - namespace: sealed-secrets + namespace: kube-system spec: minReadySeconds: 30 replicas: 1 @@ -30,8 +198,8 @@ spec: command: - controller env: [] - image: quay.io/bitnami/sealed-secrets-controller:v0.17.3 - imagePullPolicy: Always + image: docker.io/bitnami/sealed-secrets-controller:v0.19.4 + imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -79,165 +247,108 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: + description: SealedSecret is the K8s representation of a "sealed Secret" - + a regular k8s Secret that has been sealed (encrypted) using the controller's + key. properties: - spec: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SealedSecretSpec is the specification of a SealedSecret + properties: + data: + description: Data is deprecated and will be removed eventually. Use + per-value EncryptedData instead. + format: byte + type: string + encryptedData: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + template: + description: Template defines the structure of the Secret that will + be created from this sealed secret. + properties: + data: + additionalProperties: + type: string + description: Keys that should be templated using decrypted data + nullable: true + type: object + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: + description: Used to facilitate programmatic handling of secret + data. + type: string + type: object + required: + - encryptedData type: object - x-kubernetes-preserve-unknown-fields: true status: - x-kubernetes-preserve-unknown-fields: true + description: SealedSecretStatus is the most recently observed status of + the SealedSecret. + properties: + conditions: + description: Represents the latest available observations of a sealed + secret's current state. + items: + description: SealedSecretCondition describes the state of a sealed + secret at a certain point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: 'Status of the condition for a sealed secret. Valid + values for "Synced": "True", "False", or "Unknown".' + type: string + type: + description: 'Type of condition for a sealed secret. Valid value: + "Synced"' + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration reflects the generation most recently + observed by the sealed-secrets controller. + format: int64 + type: integer + type: object + required: + - spec type: object served: true storage: true subresources: status: {} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -spec: - ports: - - port: 8080 - targetPort: 8080 - selector: - name: sealed-secrets-controller - type: ClusterIP ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-service-proxier - name: sealed-secrets-service-proxier - namespace: sealed-secrets -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: sealed-secrets-service-proxier -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: {} - labels: - name: sealed-secrets-service-proxier - name: sealed-secrets-service-proxier - namespace: sealed-secrets -rules: -- apiGroups: - - "" - resourceNames: - - 'http:sealed-secrets-controller:' - - sealed-secrets-controller - resources: - - services/proxy - verbs: - - create - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: sealed-secrets-key-admin -subjects: -- kind: ServiceAccount - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: {} - labels: - name: sealed-secrets-key-admin - name: sealed-secrets-key-admin - namespace: sealed-secrets -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - list ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: {} - labels: - name: secrets-unsealer - name: secrets-unsealer -rules: -- apiGroups: - - bitnami.com - resources: - - sealedsecrets - verbs: - - get - - list - - watch -- apiGroups: - - bitnami.com - resources: - - sealedsecrets/status - verbs: - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create - - update - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: secrets-unsealer -subjects: -- kind: ServiceAccount - name: sealed-secrets-controller - namespace: sealed-secrets