diff --git a/sealed-secrets/controller.yaml b/sealed-secrets/controller.yaml index f4158ac..8348ec9 100644 --- a/sealed-secrets/controller.yaml +++ b/sealed-secrets/controller.yaml @@ -1,4 +1,113 @@ --- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: sealed-secrets +spec: + minReadySeconds: 30 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: sealed-secrets-controller + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + annotations: {} + labels: + name: sealed-secrets-controller + spec: + containers: + - args: [] + command: + - controller + env: [] + image: quay.io/bitnami/sealed-secrets-controller:v0.12.5 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: http + name: sealed-secrets-controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /healthz + port: http + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + stdin: false + tty: false + volumeMounts: + - mountPath: /tmp + name: tmp + imagePullSecrets: [] + initContainers: [] + securityContext: + fsGroup: 65534 + serviceAccountName: sealed-secrets-controller + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: tmp +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sealedsecrets.bitnami.com +spec: + group: bitnami.com + names: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + scope: Namespaced + subresources: + status: {} + version: v1alpha1 +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-service-proxier + name: sealed-secrets-service-proxier + namespace: sealed-secrets +rules: +- apiGroups: + - "" + resourceNames: + - 'http:sealed-secrets-controller:' + - sealed-secrets-controller + resources: + - services/proxy + verbs: + - create + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: sealed-secrets +--- apiVersion: v1 kind: Service metadata: @@ -33,6 +142,23 @@ subjects: name: system:authenticated --- apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: sealed-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-key-admin +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: sealed-secrets +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: annotations: {} @@ -81,6 +207,11 @@ rules: - get - list - watch +- apiGroups: + - bitnami.com + resources: + - sealedsecrets/status + verbs: - update - apiGroups: - "" @@ -98,125 +229,3 @@ rules: verbs: - create - patch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -spec: - minReadySeconds: 30 - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - name: sealed-secrets-controller - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - annotations: {} - labels: - name: sealed-secrets-controller - spec: - containers: - - args: [] - command: - - controller - env: [] - image: quay.io/bitnami/sealed-secrets-controller:v0.12.2 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: http - name: sealed-secrets-controller - ports: - - containerPort: 8080 - name: http - readinessProbe: - httpGet: - path: /healthz - port: http - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1001 - stdin: false - tty: false - volumeMounts: - - mountPath: /tmp - name: tmp - imagePullSecrets: [] - initContainers: [] - serviceAccountName: sealed-secrets-controller - terminationGracePeriodSeconds: 30 - volumes: - - emptyDir: {} - name: tmp ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: sealedsecrets.bitnami.com -spec: - group: bitnami.com - names: - kind: SealedSecret - listKind: SealedSecretList - plural: sealedsecrets - singular: sealedsecret - scope: Namespaced - version: v1alpha1 ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - annotations: {} - labels: - name: sealed-secrets-service-proxier - name: sealed-secrets-service-proxier - namespace: sealed-secrets -rules: -- apiGroups: - - "" - resourceNames: - - 'http:sealed-secrets-controller:' - - sealed-secrets-controller - resources: - - services/proxy - verbs: - - create - - get ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: sealed-secrets-controller - name: sealed-secrets-controller - namespace: sealed-secrets -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: sealed-secrets-key-admin -subjects: -- kind: ServiceAccount - name: sealed-secrets-controller - namespace: sealed-secrets