diff --git a/clusters/cl01tl/standalone/kubelet-serving-cert-approver/Chart.yaml b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/Chart.yaml index dd8b7979d..763e341da 100644 --- a/clusters/cl01tl/standalone/kubelet-serving-cert-approver/Chart.yaml +++ b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/Chart.yaml @@ -1,11 +1,18 @@ apiVersion: v2 name: kubelet-serving-cert-approver -version: 0.0.3 +version: 1.0.0 +description: Kubelet Serving TLS Certificate Signing Request Approver +keywords: + - kubernetes + - certificate sources: - https://github.com/alex1989hu/kubelet-serving-cert-approver - - https://github.com/alexlebens/helm-charts/charts/homepage + - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template +maintainers: + - name: alexlebens dependencies: - - name: kubelet-serving-cert-approver - version: 0.0.4 - repository: http://alexlebens.github.io/helm-charts -appVersion: 0.8.1 + - name: app-template + alias: kubelet-serving-cert-approver + repository: https://bjw-s.github.io/helm-charts/ + version: 3.2.1 +appVersion: 0.8.3 diff --git a/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml new file mode 100644 index 000000000..816381ac0 --- /dev/null +++ b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubelet-serving-cert-approver + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: kubelet-serving-cert-approver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "certificates:{{ .Release.Name }}" +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} diff --git a/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/cluster-role.yaml b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/cluster-role.yaml new file mode 100644 index 000000000..45165caf7 --- /dev/null +++ b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/cluster-role.yaml @@ -0,0 +1,61 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "certificates:{{ .Release.Name }}" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: kubelet-serving-cert-approver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} +rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + verbs: + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kubelet-serving + resources: + - signers + verbs: + - approve + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "events:{{ .Release.Name }}" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: kubelet-serving-cert-approver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/namespace.yaml b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/namespace.yaml new file mode 100644 index 000000000..18e109be5 --- /dev/null +++ b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/namespace.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubelet-serving-cert-approver + labels: + app.kubernetes.io/name: kubelet-serving-cert-approver + app.kubernetes.io/instance: {{ .Release.Name }} + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted diff --git a/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/role-binding.yaml b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/role-binding.yaml new file mode 100644 index 000000000..94da5493f --- /dev/null +++ b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/templates/role-binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "events:{{ .Release.Name }}" + namespace: default + labels: + app.kubernetes.io/name: kubelet-serving-cert-approver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: server + app.kubernetes.io/part-of: kubelet-serving-cert-approver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "events:{{ .Release.Name }}" +subjects: + - kind: ServiceAccount + name: kubelet-serving-cert-approver + namespace: {{ .Release.Name }} diff --git a/clusters/cl01tl/standalone/kubelet-serving-cert-approver/values.yaml b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/values.yaml new file mode 100644 index 000000000..8e7ee03dc --- /dev/null +++ b/clusters/cl01tl/standalone/kubelet-serving-cert-approver/values.yaml @@ -0,0 +1,74 @@ +kubelet-serving-cert-approver: + defaultPodOptions: + priorityClassName: system-cluster-critical + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + weight: 100 + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + controllers: + main: + type: deployment + replicas: 1 + strategy: Recreate + revisionHistoryLimit: 3 + containers: + main: + image: + repository: ghcr.io/alex1989hu/kubelet-serving-cert-approver + tag: v0.8.3 + pullPolicy: Always + args: + - serve + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + serviceAccount: + create: true + service: + main: + controller: main + ports: + health: + port: 8080 + targetPort: 8080 + protocol: HTTP + main: + controller: main + ports: + metrics: + port: 9090 + targetPort: 9090 + protocol: HTTP