--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: {} labels: name: sealed-secrets-controller name: sealed-secrets-controller namespace: sealed-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: sealed-secrets-key-admin subjects: - kind: ServiceAccount name: sealed-secrets-controller namespace: sealed-secrets --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: {} labels: name: sealed-secrets-key-admin name: sealed-secrets-key-admin namespace: sealed-secrets rules: - apiGroups: - "" resources: - secrets verbs: - create - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: {} labels: name: sealed-secrets-controller name: sealed-secrets-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: secrets-unsealer subjects: - kind: ServiceAccount name: sealed-secrets-controller namespace: sealed-secrets --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: {} labels: name: secrets-unsealer name: secrets-unsealer rules: - apiGroups: - bitnami.com resources: - sealedsecrets verbs: - get - list - watch - apiGroups: - bitnami.com resources: - sealedsecrets/status verbs: - update - apiGroups: - "" resources: - secrets verbs: - get - list - create - update - delete - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - namespaces verbs: - get --- apiVersion: v1 kind: ServiceAccount metadata: annotations: {} labels: name: sealed-secrets-controller name: sealed-secrets-controller namespace: sealed-secrets --- apiVersion: v1 kind: Service metadata: annotations: {} labels: name: sealed-secrets-controller name: sealed-secrets-controller namespace: sealed-secrets spec: ports: - port: 8080 targetPort: 8080 selector: name: sealed-secrets-controller type: ClusterIP --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: {} labels: name: sealed-secrets-service-proxier name: sealed-secrets-service-proxier namespace: sealed-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: sealed-secrets-service-proxier subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: {} labels: name: sealed-secrets-service-proxier name: sealed-secrets-service-proxier namespace: sealed-secrets rules: - apiGroups: - "" resourceNames: - sealed-secrets-controller resources: - services verbs: - get - apiGroups: - "" resourceNames: - 'http:sealed-secrets-controller:' - http:sealed-secrets-controller:http - sealed-secrets-controller resources: - services/proxy verbs: - create - get --- apiVersion: apps/v1 kind: Deployment metadata: annotations: {} labels: name: sealed-secrets-controller name: sealed-secrets-controller namespace: sealed-secrets spec: minReadySeconds: 30 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: name: sealed-secrets-controller strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: {} labels: name: sealed-secrets-controller spec: containers: - args: [] command: - controller env: [] image: docker.io/bitnami/sealed-secrets-controller:v0.19.4 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz port: http name: sealed-secrets-controller ports: - containerPort: 8080 name: http readinessProbe: httpGet: path: /healthz port: http securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 stdin: false tty: false volumeMounts: - mountPath: /tmp name: tmp imagePullSecrets: [] initContainers: [] securityContext: fsGroup: 65534 serviceAccountName: sealed-secrets-controller terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: tmp --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: sealedsecrets.bitnami.com spec: group: bitnami.com names: kind: SealedSecret listKind: SealedSecretList plural: sealedsecrets singular: sealedsecret scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: SealedSecret is the K8s representation of a "sealed Secret" - a regular k8s Secret that has been sealed (encrypted) using the controller's key. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: SealedSecretSpec is the specification of a SealedSecret properties: data: description: Data is deprecated and will be removed eventually. Use per-value EncryptedData instead. format: byte type: string encryptedData: additionalProperties: type: string type: object x-kubernetes-preserve-unknown-fields: true template: description: Template defines the structure of the Secret that will be created from this sealed secret. properties: data: additionalProperties: type: string description: Keys that should be templated using decrypted data nullable: true type: object metadata: description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' nullable: true type: object x-kubernetes-preserve-unknown-fields: true type: description: Used to facilitate programmatic handling of secret data. type: string type: object required: - encryptedData type: object status: description: SealedSecretStatus is the most recently observed status of the SealedSecret. properties: conditions: description: Represents the latest available observations of a sealed secret's current state. items: description: SealedSecretCondition describes the state of a sealed secret at a certain point. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. format: date-time type: string lastUpdateTime: description: The last time this condition was updated. format: date-time type: string message: description: A human readable message indicating details about the transition. type: string reason: description: The reason for the condition's last transition. type: string status: description: 'Status of the condition for a sealed secret. Valid values for "Synced": "True", "False", or "Unknown".' type: string type: description: 'Type of condition for a sealed secret. Valid value: "Synced"' type: string required: - status - type type: object type: array observedGeneration: description: ObservedGeneration reflects the generation most recently observed by the sealed-secrets controller. format: int64 type: integer type: object required: - spec type: object served: true storage: true subresources: status: {}