feat: convert all kubezero modules to use service account tokens

This commit is contained in:
Stefan Reimer 2021-06-30 12:37:05 +02:00
parent 09cc9e25cc
commit 97b94a4ffa
5 changed files with 69 additions and 18 deletions

View File

@ -72,8 +72,8 @@ function delete_ns() {
# Extract crds via helm calls and apply delta=crds only
function _crds() {
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-no-crds.yaml
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-crds.yaml
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set ${release}.installCRDs=false > $TMPDIR/helm-no-crds.yaml
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set ${release}.installCRDs=true > $TMPDIR/helm-crds.yaml
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
[ -s $TMPDIR/crds.yaml ] && kubectl apply -f $TMPDIR/crds.yaml
}

View File

@ -1,10 +1,16 @@
{{- define "aws-ebs-csi-driver-values" }}
aws-ebs-csi-driver:
replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
podAnnotations:
iam.amazonaws.com/role: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }}
extraVolumeTags:
Name: {{ .Values.ClusterName }}
controller:
replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
k8sTagClusterId: {{ .Values.ClusterName }}
env:
ebsPlugin:
- name: AWS_ROLE_ARN
value: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }}
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
{{- end }}

View File

@ -1,19 +1,19 @@
{{- define "aws-efs-csi-driver-values" }}
{{- with index .Values "aws-efs-csi-driver" "nodeSelector" }}
{{ with index .Values "aws-efs-csi-driver" "IamArn" }}
aws-efs-csi-driver:
nodeSelector:
{{- toYaml . | nindent 4 }}
controller:
extraEnv:
- name: AWS_ROLE_ARN
value: "{{ . }}"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
{{- end }}
{{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }}
PersistentVolumes:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- if index .Values "aws-efs-csi-driver" "EfsId" }}
PersistentVolume:
create: true
EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }}
Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }}
{{- end }}
{{- end }}

View File

@ -4,8 +4,27 @@ localCA:
enabled: true
{{ with index .Values "cert-manager" "IamArn" }}
cert-manager:
podAnnotations:
iam.amazonaws.com/role: "{{ . }}"
extraEnv:
- name: AWS_ROLE_ARN
value: "{{ . }}"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
volumes:
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
volumeMounts:
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
{{- end }}
{{- with index .Values "cert-manager" "clusterIssuer" }}

View File

@ -16,9 +16,22 @@ istio-ingress:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with index .Values "istio-ingress" "public" "dnsNames" }}
# Legacy
dnsNames:
{{- toYaml . | nindent 2 }}
certificates:
- name: ingress-cert
dnsNames:
{{- toYaml . | nindent 4 }}
{{- end }}
# New multi cert gateway
{{- range $cert := (index .Values "istio-ingress" "public" "certificates") }}
- name: {{ $cert.name }}
dnsNames:
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
proxyProtocol: {{ default false (index .Values "istio-ingress" "public" "proxyProtocol") }}
{{- end }}
{{- if index .Values "istio-ingress" "private" }}
@ -32,9 +45,22 @@ istio-private-ingress:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with index .Values "istio-ingress" "private" "dnsNames" }}
# Legacy
dnsNames:
{{- toYaml . | nindent 2 }}
certificates:
- name: private-ingress-cert
dnsNames:
{{- toYaml . | nindent 4 }}
{{- end }}
# New multi cert gateway
{{- range $cert := (index .Values "istio-ingress" "private" "certificates") }}
- name: {{ $cert.name }}
dnsNames:
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
proxyProtocol: {{ default false (index .Values "istio-ingress" "private" "proxyProtocol") }}
{{- end }}
{{- end }}