From d6150a8b040551a70916e2b2164d4b894ba4534f Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 24 Aug 2021 20:54:08 +0200 Subject: [PATCH] upgrade sealed secrets controller --- sealed-secrets/controller.yaml | 241 +++++++++++++++++---------------- 1 file changed, 121 insertions(+), 120 deletions(-) diff --git a/sealed-secrets/controller.yaml b/sealed-secrets/controller.yaml index d718a0f..734aa3a 100644 --- a/sealed-secrets/controller.yaml +++ b/sealed-secrets/controller.yaml @@ -1,12 +1,65 @@ --- apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-service-proxier + name: sealed-secrets-service-proxier + namespace: kube-system +rules: +- apiGroups: + - "" + resourceNames: + - 'http:sealed-secrets-controller:' + - sealed-secrets-controller + resources: + - services/proxy + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-key-admin + name: sealed-secrets-key-admin + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list +--- +apiVersion: v1 +kind: Service +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + name: sealed-secrets-controller + type: ClusterIP +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: annotations: {} labels: name: sealed-secrets-service-proxier name: sealed-secrets-service-proxier - namespace: sealed-secrets + namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -16,22 +69,66 @@ subjects: kind: Group name: system:authenticated --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sealedsecrets.bitnami.com +spec: + group: bitnami.com + names: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role +kind: RoleBinding metadata: annotations: {} labels: - name: sealed-secrets-key-admin + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role name: sealed-secrets-key-admin - namespace: sealed-secrets -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - list +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-unsealer +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole @@ -72,6 +169,15 @@ rules: - create - patch --- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -79,7 +185,7 @@ metadata: labels: name: sealed-secrets-controller name: sealed-secrets-controller - namespace: sealed-secrets + namespace: kube-system spec: minReadySeconds: 30 replicas: 1 @@ -99,12 +205,11 @@ spec: name: sealed-secrets-controller spec: containers: - - args: - - --update-status + - args: [] command: - controller env: [] - image: quay.io/bitnami/sealed-secrets-controller:v0.15.0 + image: quay.io/bitnami/sealed-secrets-controller:v0.16.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -136,107 +241,3 @@ spec: volumes: - emptyDir: {} name: tmp ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: sealedsecrets.bitnami.com -spec: - group: bitnami.com - names: - kind: SealedSecret - listKind: SealedSecretList - plural: sealedsecrets - singular: sealedsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -spec: - ports: - - port: 8080 - targetPort: 8080 - selector: - name: sealed-secrets-controller - type: ClusterIP ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: secrets-unsealer -subjects: -- kind: ServiceAccount - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - annotations: {} - labels: - name: sealed-secrets-service-proxier - name: sealed-secrets-service-proxier - namespace: sealed-secrets -rules: -- apiGroups: - - "" - resourceNames: - - 'http:sealed-secrets-controller:' - - sealed-secrets-controller - resources: - - services/proxy - verbs: - - create - - get ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: sealed-secrets-key-admin -subjects: -- kind: ServiceAccount - name: sealed-secrets-controller - namespace: sealed-secrets