marko/docker-development-youtube-series
1
0
Fork 0
mirror of https://github.com/marcel-dempers/docker-development-youtube-series.git synced 2025-06-06 17:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

basic injector

Browse Source
This commit is contained in:
marcel-dempers 2020-02-23 23:14:17 +00:00
parent 1f6ccdc4bb
commit e454f2783b
7 changed files with 42 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hashicorp/vault/injector/injector-clusterrole.yaml
View File

@ -1,12 +1,9 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole name: vault-example-agent-injector-clusterrole
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules: rules:
- apiGroups: ["admissionregistration.k8s.io"] - apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"] resources: ["mutatingwebhookconfigurations"]
@ -15,4 +12,3 @@ rules:
- "list" - "list"
- "watch" - "watch"
- "patch" - "patch"
{{ end }}

15
hashicorp/vault/injector/injector-clusterrolebinding.yaml
View File

@ -1,19 +1,14 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-binding name: vault-example-agent-injector-binding
namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ template "vault.fullname" . }}-agent-injector-clusterrole name: vault-example-agent-injector-clusterrole
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector name: vault-example-agent-injector
namespace: {{ .Release.Namespace }} namespace: vault-example
{{ end }}

54
hashicorp/vault/injector/injector-deployment.yaml
View File

@ -1,59 +1,44 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
# Deployment for the injector
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector name: vault-example-agent-injector
namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
component: webhook component: webhook
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
template: template:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
spec: spec:
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" serviceAccountName: vault-example-agent-injector
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }} runAsGroup: 1000
runAsUser: {{ .Values.injector.uid | default 100 }} runAsUser: 100
containers: containers:
- name: sidecar-injector - name: sidecar-injector
{{ template "injector.resources" . }} image: "hashicorp/vault-k8s:0.1.2"
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: IfNotPresent
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
env: env:
- name: AGENT_INJECT_LISTEN - name: AGENT_INJECT_LISTEN
value: ":8080" value: ":8080"
- name: AGENT_INJECT_LOG_LEVEL - name: AGENT_INJECT_LOG_LEVEL
value: {{ .Values.injector.logLevel | default "info" }} value: "info"
- name: AGENT_INJECT_VAULT_ADDR - name: AGENT_INJECT_VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} value: http://vault-example:8200
- name: AGENT_INJECT_VAULT_IMAGE - name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" value: "vault:1.3.1"
{{- if .Values.injector.certs.secretName }}
- name: AGENT_INJECT_TLS_CERT_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
- name: AGENT_INJECT_TLS_KEY_FILE
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
{{- else }}
- name: AGENT_INJECT_TLS_AUTO - name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg value: vault-example-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS - name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc value: vault-example-agent-injector-svc,vault-example-agent-injector-svc.vault-example,vault-example-agent-injector-svc.vault-example.svc
{{- end }}
args: args:
- agent-inject - agent-inject
- 2>&1 - 2>&1
@ -77,14 +62,3 @@ spec:
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
timeoutSeconds: 5 timeoutSeconds: 5
{{- if .Values.injector.certs.secretName }}
volumeMounts:
- name: webhook-certs
mountPath: /etc/webhook/certs
readOnly: true
volumes:
- name: webhook-certs
secret:
secretName: "{{ .Values.injector.certs.secretName }}"
{{- end }}
{{ end }}

27
hashicorp/vault/injector/injector-mutating-webhook.yaml
View File

@ -1,27 +1,28 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} apiVersion: admissionregistration.k8s.io/v1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-cfg name: vault-example-agent-injector-cfg
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
webhooks: webhooks:
- name: vault.hashicorp.com - name: vault.hashicorp.com
clientConfig: clientConfig:
service: service:
name: {{ template "vault.fullname" . }}-agent-injector-svc name: vault-example-agent-injector-svc
namespace: {{ .Release.Namespace }} namespace: vault-example
path: "/mutate" path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle }} caBundle: ""
rules: rules:
- operations: ["CREATE", "UPDATE"] - operations: ["CREATE", "UPDATE"]
apiGroups: [""] apiGroups: [""]
apiVersions: ["v1"] apiVersions: ["v1"]
resources: ["pods"] resources: ["pods"]
{{- if .Values.injector.namespaceSelector }}
namespaceSelector: namespaceSelector:
{{ toYaml .Values.injector.namespaceSelector | indent 6}} matchExpressions:
{{ end }} - key: name
{{ end }} operator: In
values:
- example-app
sideEffects: None
admissionReviewVersions:
- "v1"

12
hashicorp/vault/injector/injector-service.yaml
View File

@ -1,19 +1,13 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc name: vault-example-agent-injector-svc
namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec: spec:
ports: ports:
- port: 443 - port: 443
targetPort: 8080 targetPort: 8080
selector: selector:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
component: webhook component: webhook
{{- end }}

9
hashicorp/vault/injector/injector-serviceaccount.yaml
View File

@ -1,11 +1,6 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ template "vault.fullname" . }}-agent-injector name: vault-example-agent-injector
namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/name: vault-example-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ end }}

4
hashicorp/vault/server/server-service.yaml
View File

@ -15,8 +15,8 @@ spec:
publishNotReadyAddresses: true publishNotReadyAddresses: true
ports: ports:
- name: http - name: http
port: 80 port: 8200
targetPort: 80 targetPort: 8200
- name: internal - name: internal
port: 8201 port: 8201
targetPort: 8201 targetPort: 8201