upgrade sealed secrets
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
f246075a5d
commit
98495f74a8
|
@ -1,4 +1,172 @@
|
||||||
---
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: sealed-secrets-key-admin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: sealed-secrets-key-admin
|
||||||
|
name: sealed-secrets-key-admin
|
||||||
|
namespace: kube-system
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- list
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: secrets-unsealer
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: secrets-unsealer
|
||||||
|
name: secrets-unsealer
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- bitnami.com
|
||||||
|
resources:
|
||||||
|
- sealedsecrets
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- bitnami.com
|
||||||
|
resources:
|
||||||
|
- sealedsecrets/status
|
||||||
|
verbs:
|
||||||
|
- update
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- events
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- patch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
namespace: kube-system
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- port: 8080
|
||||||
|
targetPort: 8080
|
||||||
|
selector:
|
||||||
|
name: sealed-secrets-controller
|
||||||
|
type: ClusterIP
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: sealed-secrets-service-proxier
|
||||||
|
name: sealed-secrets-service-proxier
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: sealed-secrets-service-proxier
|
||||||
|
subjects:
|
||||||
|
- apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Group
|
||||||
|
name: system:authenticated
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
annotations: {}
|
||||||
|
labels:
|
||||||
|
name: sealed-secrets-service-proxier
|
||||||
|
name: sealed-secrets-service-proxier
|
||||||
|
namespace: kube-system
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resourceNames:
|
||||||
|
- sealed-secrets-controller
|
||||||
|
resources:
|
||||||
|
- services
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resourceNames:
|
||||||
|
- 'http:sealed-secrets-controller:'
|
||||||
|
- http:sealed-secrets-controller:http
|
||||||
|
- sealed-secrets-controller
|
||||||
|
resources:
|
||||||
|
- services/proxy
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- get
|
||||||
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -6,7 +174,7 @@ metadata:
|
||||||
labels:
|
labels:
|
||||||
name: sealed-secrets-controller
|
name: sealed-secrets-controller
|
||||||
name: sealed-secrets-controller
|
name: sealed-secrets-controller
|
||||||
namespace: sealed-secrets
|
namespace: kube-system
|
||||||
spec:
|
spec:
|
||||||
minReadySeconds: 30
|
minReadySeconds: 30
|
||||||
replicas: 1
|
replicas: 1
|
||||||
|
@ -30,8 +198,8 @@ spec:
|
||||||
command:
|
command:
|
||||||
- controller
|
- controller
|
||||||
env: []
|
env: []
|
||||||
image: quay.io/bitnami/sealed-secrets-controller:v0.17.3
|
image: docker.io/bitnami/sealed-secrets-controller:v0.19.4
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: IfNotPresent
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /healthz
|
path: /healthz
|
||||||
|
@ -79,165 +247,108 @@ spec:
|
||||||
- name: v1alpha1
|
- name: v1alpha1
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
|
description: SealedSecret is the K8s representation of a "sealed Secret" -
|
||||||
|
a regular k8s Secret that has been sealed (encrypted) using the controller's
|
||||||
|
key.
|
||||||
properties:
|
properties:
|
||||||
spec:
|
apiVersion:
|
||||||
|
description: 'APIVersion defines the versioned schema of this representation
|
||||||
|
of an object. Servers should convert recognized schemas to the latest
|
||||||
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
description: 'Kind is a string value representing the REST resource this
|
||||||
|
object represents. Servers may infer this from the endpoint the client
|
||||||
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||||
|
type: string
|
||||||
|
metadata:
|
||||||
|
type: object
|
||||||
|
spec:
|
||||||
|
description: SealedSecretSpec is the specification of a SealedSecret
|
||||||
|
properties:
|
||||||
|
data:
|
||||||
|
description: Data is deprecated and will be removed eventually. Use
|
||||||
|
per-value EncryptedData instead.
|
||||||
|
format: byte
|
||||||
|
type: string
|
||||||
|
encryptedData:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
template:
|
||||||
|
description: Template defines the structure of the Secret that will
|
||||||
|
be created from this sealed secret.
|
||||||
|
properties:
|
||||||
|
data:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: Keys that should be templated using decrypted data
|
||||||
|
nullable: true
|
||||||
|
type: object
|
||||||
|
metadata:
|
||||||
|
description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
||||||
|
nullable: true
|
||||||
|
type: object
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
type:
|
||||||
|
description: Used to facilitate programmatic handling of secret
|
||||||
|
data.
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- encryptedData
|
||||||
type: object
|
type: object
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
status:
|
status:
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
description: SealedSecretStatus is the most recently observed status of
|
||||||
|
the SealedSecret.
|
||||||
|
properties:
|
||||||
|
conditions:
|
||||||
|
description: Represents the latest available observations of a sealed
|
||||||
|
secret's current state.
|
||||||
|
items:
|
||||||
|
description: SealedSecretCondition describes the state of a sealed
|
||||||
|
secret at a certain point.
|
||||||
|
properties:
|
||||||
|
lastTransitionTime:
|
||||||
|
description: Last time the condition transitioned from one status
|
||||||
|
to another.
|
||||||
|
format: date-time
|
||||||
|
type: string
|
||||||
|
lastUpdateTime:
|
||||||
|
description: The last time this condition was updated.
|
||||||
|
format: date-time
|
||||||
|
type: string
|
||||||
|
message:
|
||||||
|
description: A human readable message indicating details about
|
||||||
|
the transition.
|
||||||
|
type: string
|
||||||
|
reason:
|
||||||
|
description: The reason for the condition's last transition.
|
||||||
|
type: string
|
||||||
|
status:
|
||||||
|
description: 'Status of the condition for a sealed secret. Valid
|
||||||
|
values for "Synced": "True", "False", or "Unknown".'
|
||||||
|
type: string
|
||||||
|
type:
|
||||||
|
description: 'Type of condition for a sealed secret. Valid value:
|
||||||
|
"Synced"'
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- status
|
||||||
|
- type
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
observedGeneration:
|
||||||
|
description: ObservedGeneration reflects the generation most recently
|
||||||
|
observed by the sealed-secrets controller.
|
||||||
|
format: int64
|
||||||
|
type: integer
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
subresources:
|
subresources:
|
||||||
status: {}
|
status: {}
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
namespace: sealed-secrets
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 8080
|
|
||||||
targetPort: 8080
|
|
||||||
selector:
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
type: ClusterIP
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: sealed-secrets-service-proxier
|
|
||||||
name: sealed-secrets-service-proxier
|
|
||||||
namespace: sealed-secrets
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: sealed-secrets-service-proxier
|
|
||||||
subjects:
|
|
||||||
- apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Group
|
|
||||||
name: system:authenticated
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: sealed-secrets-service-proxier
|
|
||||||
name: sealed-secrets-service-proxier
|
|
||||||
namespace: sealed-secrets
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resourceNames:
|
|
||||||
- 'http:sealed-secrets-controller:'
|
|
||||||
- sealed-secrets-controller
|
|
||||||
resources:
|
|
||||||
- services/proxy
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- get
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
namespace: sealed-secrets
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: sealed-secrets-key-admin
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
namespace: sealed-secrets
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: sealed-secrets-key-admin
|
|
||||||
name: sealed-secrets-key-admin
|
|
||||||
namespace: sealed-secrets
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- list
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
namespace: sealed-secrets
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: secrets-unsealer
|
|
||||||
name: secrets-unsealer
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- bitnami.com
|
|
||||||
resources:
|
|
||||||
- sealedsecrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- bitnami.com
|
|
||||||
resources:
|
|
||||||
- sealedsecrets/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
annotations: {}
|
|
||||||
labels:
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: secrets-unsealer
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: sealed-secrets-controller
|
|
||||||
namespace: sealed-secrets
|
|
||||||
|
|
Reference in a new issue