diff --git a/charts/kubelet-serving-cert-approver/Chart.yaml b/charts/kubelet-serving-cert-approver/Chart.yaml new file mode 100644 index 0000000..d5ca244 --- /dev/null +++ b/charts/kubelet-serving-cert-approver/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: kubelet-serving-cert-approver +version: 0.0.1 +description: Kubelet Serving TLS Certificate Signing Request Approver +keywords: + - kubernetes + - certificate +sources: + - https://github.com/alex1989hu/kubelet-serving-cert-approver + - https://github.com/alexlebens/helm-charts/charts/homepage +maintainers: + - name: alexlebens +appVersion: 0.8.1 diff --git a/charts/kubelet-serving-cert-approver/README.md b/charts/kubelet-serving-cert-approver/README.md new file mode 100644 index 0000000..925fc7d --- /dev/null +++ b/charts/kubelet-serving-cert-approver/README.md @@ -0,0 +1,16 @@ +## Introduction + +[Kubelet Serving Certificate Approver](https://github.com/alex1989hu/kubelet-serving-cert-approver) + +Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving Certificate Signing Request that kubelet use to serve TLS endpoints. + +This chart bootstraps a [Kubelet Serving Certificate Approver](https://github.com/alex1989hu/kubelet-serving-cert-approver) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes +- Helm + +## Parameters + +See the [values files](values.yaml). diff --git a/charts/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml b/charts/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml new file mode 100644 index 0000000..04f48ec --- /dev/null +++ b/charts/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "certificates:{{ .Release.Name }}" +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} diff --git a/charts/kubelet-serving-cert-approver/templates/cluster-role.yaml b/charts/kubelet-serving-cert-approver/templates/cluster-role.yaml new file mode 100644 index 0000000..3c99585 --- /dev/null +++ b/charts/kubelet-serving-cert-approver/templates/cluster-role.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "certificates:{{ .Release.Name }}" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + verbs: + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kubelet-serving + resources: + - signers + verbs: + - approve + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "events:{{ .Release.Name }}" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/charts/kubelet-serving-cert-approver/templates/deployment.yaml b/charts/kubelet-serving-cert-approver/templates/deployment.yaml new file mode 100644 index 0000000..9f53c42 --- /dev/null +++ b/charts/kubelet-serving-cert-approver/templates/deployment.yaml @@ -0,0 +1,88 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +spec: + revisionHistoryLimit: 3 + replicas: {{ .Values.deployment.replicas }} + strategy: + type: {{ .Values.deployment.strategy }} + selector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + weight: 100 + containers: + - name: {{ .Release.Name }} + image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}" + imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }} + ports: + - containerPort: 8080 + name: health + - containerPort: 9090 + name: metrics + args: + - serve + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: {{ .Release.Namespace }} + resources: + {{- toYaml .Values.deployment.resources | nindent 12 }} + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 6 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + priorityClassName: {{ .Values.deployment.priorityClassName }} + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + serviceAccountName: {{ .Release.Name }} + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists diff --git a/charts/kubelet-serving-cert-approver/templates/namespace.yaml b/charts/kubelet-serving-cert-approver/templates/namespace.yaml new file mode 100644 index 0000000..5ddca1e --- /dev/null +++ b/charts/kubelet-serving-cert-approver/templates/namespace.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Name }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted diff --git a/charts/kubelet-serving-cert-approver/templates/role-binding.yaml b/charts/kubelet-serving-cert-approver/templates/role-binding.yaml new file mode 100644 index 0000000..72bc269 --- /dev/null +++ b/charts/kubelet-serving-cert-approver/templates/role-binding.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "events:{{ .Release.Name }}" + namespace: default + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "events:{{ .Release.Name }}" +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }} + namespace: {{ .Release.Name }} diff --git a/charts/kubelet-serving-cert-approver/templates/service-account.yaml b/charts/kubelet-serving-cert-approver/templates/service-account.yaml new file mode 100644 index 0000000..132ae90 --- /dev/null +++ b/charts/kubelet-serving-cert-approver/templates/service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm diff --git a/charts/kubelet-serving-cert-approver/templates/service.yaml b/charts/kubelet-serving-cert-approver/templates/service.yaml new file mode 100644 index 0000000..e7c1f3d --- /dev/null +++ b/charts/kubelet-serving-cert-approver/templates/service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} + app.kubernetes.io/managed-by: helm +spec: + ports: + - name: metrics + port: 9090 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: {{ .Release.Name }} diff --git a/charts/kubelet-serving-cert-approver/values.yaml b/charts/kubelet-serving-cert-approver/values.yaml new file mode 100644 index 0000000..088eb0d --- /dev/null +++ b/charts/kubelet-serving-cert-approver/values.yaml @@ -0,0 +1,15 @@ +deployment: + replicas: 1 + strategy: Recreate + priorityClassName: system-cluster-critical + image: + repository: ghcr.io/alex1989hu/kubelet-serving-cert-approver + tag: v0.8.1 + imagePullPolicy: Always + resources: + limits: + cpu: 250m + memory: 32Mi + requests: + cpu: 10m + memory: 16Mi