feat: convert all kubezero modules to use service account tokens
This commit is contained in:
parent
09cc9e25cc
commit
97b94a4ffa
@ -72,8 +72,8 @@ function delete_ns() {
|
||||
|
||||
# Extract crds via helm calls and apply delta=crds only
|
||||
function _crds() {
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-no-crds.yaml
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-crds.yaml
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set ${release}.installCRDs=false > $TMPDIR/helm-no-crds.yaml
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set ${release}.installCRDs=true > $TMPDIR/helm-crds.yaml
|
||||
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
||||
[ -s $TMPDIR/crds.yaml ] && kubectl apply -f $TMPDIR/crds.yaml
|
||||
}
|
||||
|
||||
@ -1,10 +1,16 @@
|
||||
{{- define "aws-ebs-csi-driver-values" }}
|
||||
aws-ebs-csi-driver:
|
||||
replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
|
||||
podAnnotations:
|
||||
iam.amazonaws.com/role: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }}
|
||||
extraVolumeTags:
|
||||
Name: {{ .Values.ClusterName }}
|
||||
controller:
|
||||
replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
|
||||
k8sTagClusterId: {{ .Values.ClusterName }}
|
||||
env:
|
||||
ebsPlugin:
|
||||
- name: AWS_ROLE_ARN
|
||||
value: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }}
|
||||
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
||||
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
|
||||
- name: AWS_STS_REGIONAL_ENDPOINTS
|
||||
value: regional
|
||||
{{- end }}
|
||||
|
||||
|
||||
|
||||
@ -1,19 +1,19 @@
|
||||
{{- define "aws-efs-csi-driver-values" }}
|
||||
{{- with index .Values "aws-efs-csi-driver" "nodeSelector" }}
|
||||
{{ with index .Values "aws-efs-csi-driver" "IamArn" }}
|
||||
aws-efs-csi-driver:
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
controller:
|
||||
extraEnv:
|
||||
- name: AWS_ROLE_ARN
|
||||
value: "{{ . }}"
|
||||
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
||||
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
|
||||
- name: AWS_STS_REGIONAL_ENDPOINTS
|
||||
value: regional
|
||||
{{- end }}
|
||||
{{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }}
|
||||
PersistentVolumes:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- if index .Values "aws-efs-csi-driver" "EfsId" }}
|
||||
PersistentVolume:
|
||||
create: true
|
||||
EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }}
|
||||
Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
|
||||
@ -4,8 +4,27 @@ localCA:
|
||||
enabled: true
|
||||
{{ with index .Values "cert-manager" "IamArn" }}
|
||||
cert-manager:
|
||||
podAnnotations:
|
||||
iam.amazonaws.com/role: "{{ . }}"
|
||||
extraEnv:
|
||||
- name: AWS_ROLE_ARN
|
||||
value: "{{ . }}"
|
||||
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
||||
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
|
||||
- name: AWS_STS_REGIONAL_ENDPOINTS
|
||||
value: regional
|
||||
|
||||
volumes:
|
||||
- name: aws-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: token
|
||||
expirationSeconds: 86400
|
||||
audience: "sts.amazonaws.com"
|
||||
|
||||
volumeMounts:
|
||||
- name: aws-token
|
||||
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
|
||||
{{- with index .Values "cert-manager" "clusterIssuer" }}
|
||||
|
||||
@ -16,9 +16,22 @@ istio-ingress:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with index .Values "istio-ingress" "public" "dnsNames" }}
|
||||
# Legacy
|
||||
dnsNames:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
|
||||
certificates:
|
||||
- name: ingress-cert
|
||||
dnsNames:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
# New multi cert gateway
|
||||
{{- range $cert := (index .Values "istio-ingress" "public" "certificates") }}
|
||||
- name: {{ $cert.name }}
|
||||
dnsNames:
|
||||
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
proxyProtocol: {{ default false (index .Values "istio-ingress" "public" "proxyProtocol") }}
|
||||
{{- end }}
|
||||
|
||||
{{- if index .Values "istio-ingress" "private" }}
|
||||
@ -32,9 +45,22 @@ istio-private-ingress:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with index .Values "istio-ingress" "private" "dnsNames" }}
|
||||
# Legacy
|
||||
dnsNames:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
|
||||
certificates:
|
||||
- name: private-ingress-cert
|
||||
dnsNames:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
# New multi cert gateway
|
||||
{{- range $cert := (index .Values "istio-ingress" "private" "certificates") }}
|
||||
- name: {{ $cert.name }}
|
||||
dnsNames:
|
||||
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
proxyProtocol: {{ default false (index .Values "istio-ingress" "private" "proxyProtocol") }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user