-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into feature/samaccountname-rules
- Loading branch information
Showing
12 changed files
with
349 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
55 changes: 55 additions & 0 deletions
55
deploy/helm/secret-operator/templates/secret_migration_job.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
--- | ||
# Migrates the TLS CA keypair from the hard-coded default namespace to the operator namespace | ||
# See https://github.com/stackabletech/secret-operator/issues/453 | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: {{ include "operator.fullname" . }}-secret-migration | ||
annotations: | ||
"helm.sh/hook": pre-install | ||
"helm.sh/hook-delete-policy": hook-succeeded | ||
"helm.sh/hook-weight": "-5" | ||
labels: | ||
{{- include "operator.labels" . | nindent 4 }} | ||
spec: | ||
template: | ||
metadata: | ||
{{- with .Values.podAnnotations }} | ||
annotations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
labels: | ||
{{- include "operator.selectorLabels" . | nindent 8 }} | ||
spec: | ||
{{- with .Values.image.pullSecrets }} | ||
imagePullSecrets: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
serviceAccountName: {{ include "operator.fullname" . }}-secret-migration-serviceaccount | ||
securityContext: | ||
{{- toYaml .Values.podSecurityContext | nindent 8 }} | ||
containers: | ||
- name: migrate-secret | ||
image: "{{ .Values.secretMigrationJob.image.repository }}:1.0.0-stackable24.7.0" | ||
imagePullPolicy: {{ .Values.secretMigrationJob.image.pullPolicy }} | ||
resources: | ||
{{ .Values.secretMigrationJob.resources | toYaml | nindent 12 }} | ||
command: ["bash", "-c"] | ||
args: | ||
- | | ||
#!/bin/bash | ||
set -euo pipefail | ||
SOURCE_NAMESPACE=default | ||
TARGET_NAMESPACE={{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }} | ||
# only continue if secret exists | ||
if source_ca_secret="$(kubectl get secret -n $SOURCE_NAMESPACE secret-provisioner-tls-ca -o json)"; then | ||
echo "secret exists in namespace $SOURCE_NAMESPACE" | ||
# only continue if secret in target namespace does NOT exist | ||
if ! kubectl get secret -n $TARGET_NAMESPACE secret-provisioner-tls-ca; then | ||
echo "secret does not exist in namespace $TARGET_NAMESPACE" | ||
# copy secret from default to {{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }} | ||
echo "$source_ca_secret" | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' | kubectl apply -n $TARGET_NAMESPACE -f - | ||
fi | ||
fi | ||
restartPolicy: Never |
56 changes: 56 additions & 0 deletions
56
deploy/helm/secret-operator/templates/secret_migration_rbac.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount | ||
labels: | ||
{{- include "operator.labels" . | nindent 4 }} | ||
annotations: | ||
"helm.sh/hook": pre-install | ||
"helm.sh/hook-delete-policy": hook-succeeded | ||
"helm.sh/hook-weight": "-10" | ||
{{- with .Values.serviceAccount.annotations }} | ||
{{- toYaml . | nindent 4 }} | ||
{{- end }} | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: {{ include "operator.fullname" . }}-secret-migration-clusterrolebinding | ||
annotations: | ||
"helm.sh/hook": pre-install | ||
"helm.sh/hook-delete-policy": hook-succeeded | ||
"helm.sh/hook-weight": "-10" | ||
labels: | ||
{{- include "operator.labels" . | nindent 4 }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount | ||
namespace: {{ .Release.Namespace }} | ||
roleRef: | ||
kind: ClusterRole | ||
name: {{ include "operator.fullname" . }}-secret-migration-clusterrole | ||
apiGroup: rbac.authorization.k8s.io | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ include "operator.fullname" . }}-secret-migration-clusterrole | ||
annotations: | ||
"helm.sh/hook": pre-install | ||
"helm.sh/hook-delete-policy": hook-succeeded | ||
"helm.sh/hook-weight": "-10" | ||
labels: | ||
{{- include "operator.labels" . | nindent 4 }} | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- create | ||
- patch | ||
- update |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
docs/modules/secret-operator/examples/cert-manager/certificate.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Certificate | ||
metadata: | ||
name: my-app-tls # <1> | ||
spec: | ||
secretName: my-app-tls # <2> | ||
secretTemplate: | ||
labels: | ||
secrets.stackable.tech/class: tls-cert-manager # <3> | ||
secrets.stackable.tech/service: my-app # <4> | ||
dnsNames: | ||
- my-app # <5> | ||
issuerRef: | ||
kind: Issuer | ||
name: secret-operator-demonstration # <6> |
28 changes: 28 additions & 0 deletions
28
docs/modules/secret-operator/examples/cert-manager/issuer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Issuer | ||
metadata: | ||
name: secret-operator-demonstration # <1> | ||
spec: | ||
ca: | ||
secretName: secret-operator-demonstration-ca | ||
# Create a self-signed CA for secret-operator-demonstration to use | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Certificate | ||
metadata: | ||
name: secret-operator-demonstration-ca | ||
spec: | ||
secretName: secret-operator-demonstration-ca | ||
isCA: true | ||
commonName: Stackable Secret Operator/Cert-Manager Demonstration CA | ||
issuerRef: | ||
kind: Issuer | ||
name: secret-operator-demonstration-ca | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Issuer | ||
metadata: | ||
name: secret-operator-demonstration-ca | ||
spec: | ||
selfSigned: {} |
71 changes: 71 additions & 0 deletions
71
docs/modules/secret-operator/examples/cert-manager/pod.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: my-app | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: my-app | ||
template: | ||
metadata: | ||
labels: | ||
app: my-app | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
volumeMounts: | ||
- name: tls | ||
mountPath: /tls | ||
- name: config | ||
mountPath: /etc/nginx/conf.d | ||
ports: | ||
- name: https | ||
containerPort: 443 | ||
volumes: | ||
- name: tls # <1> | ||
ephemeral: | ||
volumeClaimTemplate: | ||
metadata: | ||
annotations: | ||
secrets.stackable.tech/class: tls-cert-manager # <2> | ||
secrets.stackable.tech/scope: service=my-app # <3> | ||
spec: | ||
storageClassName: secrets.stackable.tech | ||
accessModes: | ||
- ReadWriteOnce | ||
resources: | ||
requests: | ||
storage: "1" | ||
- name: config | ||
configMap: | ||
name: my-app | ||
--- # <4> | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: my-app | ||
data: | ||
default.conf: | | ||
server { | ||
listen 443 ssl; | ||
ssl_certificate /tls/tls.crt; | ||
ssl_certificate_key /tls/tls.key; | ||
location / { | ||
root /usr/share/nginx/html; | ||
index index.html index.htm; | ||
} | ||
} | ||
--- # <5> | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: my-app | ||
spec: | ||
selector: | ||
app: my-app | ||
ports: | ||
- name: https | ||
port: 443 |
10 changes: 10 additions & 0 deletions
10
docs/modules/secret-operator/examples/cert-manager/secretclass.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
--- | ||
apiVersion: secrets.stackable.tech/v1alpha1 | ||
kind: SecretClass | ||
metadata: | ||
name: tls-cert-manager # <1> | ||
spec: | ||
backend: | ||
k8sSearch: | ||
searchNamespace: | ||
pod: {} # <2> |
Oops, something went wrong.