alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

chore: Update manifests after change

Browse Source
This commit is contained in:
gitea-bot
2025-12-12 01:27:01 +00:00
parent 7eca992b27
commit 68e1aad5b4
7 changed files with 195 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
clusters/cl01tl/manifests/cilium/Certificate-hubble-relay-client-certs.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hubble-relay-client-certs
namespace: kube-system
spec:
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: ca-issuer
secretName: hubble-relay-client-certs
commonName: "*.hubble-relay.cilium.io"
dnsNames:
- "*.hubble-relay.cilium.io"
duration: 8760h0m0s
privateKey:
rotationPolicy: Always
isCA: false
usages:
- signing
- key encipherment
- client auth

23
clusters/cl01tl/manifests/cilium/Certificate-hubble-server-certs.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hubble-server-certs
namespace: kube-system
spec:
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: ca-issuer
secretName: hubble-server-certs
commonName: "*.default.hubble-grpc.cilium.io"
dnsNames:
- "*.default.hubble-grpc.cilium.io"
duration: 8760h0m0s
privateKey:
rotationPolicy: Always
isCA: false
usages:
- signing
- key encipherment
- server auth
- client auth

71
clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,71 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
app.kubernetes.io/name: hubble-generate-certs
app.kubernetes.io/part-of: cilium
spec:
schedule: "0 0 1 */4 *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: certgen
image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
command:
- "/usr/bin/cilium-certgen"
args:
- "--ca-generate=true"
- "--ca-reuse-secret"
- "--ca-secret-namespace=kube-system"
- "--ca-secret-name=cilium-ca"
- "--ca-common-name=Cilium CA"
env:
- name: CILIUM_CERTGEN_CONFIG
value: |
certs:
- name: hubble-server-certs
namespace: kube-system
commonName: "*.default.hubble-grpc.cilium.io"
hosts:
- "*.default.hubble-grpc.cilium.io"
usage:
- signing
- key encipherment
- server auth
- client auth
validity: 8760h
- name: hubble-relay-client-certs
namespace: kube-system
commonName: "*.hubble-relay.cilium.io"
hosts:
- "*.hubble-relay.cilium.io"
usage:
- signing
- key encipherment
- client auth
validity: 8760h
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true
restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

69
clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: batch/v1
kind: Job
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
app.kubernetes.io/name: hubble-generate-certs
app.kubernetes.io/part-of: cilium
annotations:
"helm.sh/hook": post-install,post-upgrade
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: certgen
image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
command:
- "/usr/bin/cilium-certgen"
args:
- "--ca-generate=true"
- "--ca-reuse-secret"
- "--ca-secret-namespace=kube-system"
- "--ca-secret-name=cilium-ca"
- "--ca-common-name=Cilium CA"
env:
- name: CILIUM_CERTGEN_CONFIG
value: |
certs:
- name: hubble-server-certs
namespace: kube-system
commonName: "*.default.hubble-grpc.cilium.io"
hosts:
- "*.default.hubble-grpc.cilium.io"
usage:
- signing
- key encipherment
- server auth
- client auth
validity: 8760h
- name: hubble-relay-client-certs
namespace: kube-system
commonName: "*.hubble-relay.cilium.io"
hosts:
- "*.hubble-relay.cilium.io"
usage:
- signing
- key encipherment
- client auth
validity: 8760h
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true
restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

35
clusters/cl01tl/manifests/cilium/Role-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- hubble-server-certs
- hubble-relay-client-certs
- hubble-relay-server-certs
- hubble-metrics-server-certs
- hubble-ui-client-certs
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- cilium-ca
verbs:
- get
- update

15
clusters/cl01tl/manifests/cilium/RoleBinding-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: hubble-generate-certs
subjects:
- kind: ServiceAccount
name: "hubble-generate-certs"
namespace: kube-system

5
clusters/cl01tl/manifests/cilium/ServiceAccount-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "hubble-generate-certs"
namespace: kube-system