feat: convert all kubezero modules to use service account tokens
This commit is contained in:
parent
09cc9e25cc
commit
97b94a4ffa
@ -72,8 +72,8 @@ function delete_ns() {
|
|||||||
|
|
||||||
# Extract crds via helm calls and apply delta=crds only
|
# Extract crds via helm calls and apply delta=crds only
|
||||||
function _crds() {
|
function _crds() {
|
||||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-no-crds.yaml
|
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set ${release}.installCRDs=false > $TMPDIR/helm-no-crds.yaml
|
||||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds -f $TMPDIR/values.yaml > $TMPDIR/helm-crds.yaml
|
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set ${release}.installCRDs=true > $TMPDIR/helm-crds.yaml
|
||||||
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
||||||
[ -s $TMPDIR/crds.yaml ] && kubectl apply -f $TMPDIR/crds.yaml
|
[ -s $TMPDIR/crds.yaml ] && kubectl apply -f $TMPDIR/crds.yaml
|
||||||
}
|
}
|
||||||
|
@ -1,10 +1,16 @@
|
|||||||
{{- define "aws-ebs-csi-driver-values" }}
|
{{- define "aws-ebs-csi-driver-values" }}
|
||||||
aws-ebs-csi-driver:
|
aws-ebs-csi-driver:
|
||||||
replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
|
controller:
|
||||||
podAnnotations:
|
replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
|
||||||
iam.amazonaws.com/role: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }}
|
k8sTagClusterId: {{ .Values.ClusterName }}
|
||||||
extraVolumeTags:
|
env:
|
||||||
Name: {{ .Values.ClusterName }}
|
ebsPlugin:
|
||||||
|
- name: AWS_ROLE_ARN
|
||||||
|
value: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }}
|
||||||
|
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
||||||
|
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
|
||||||
|
- name: AWS_STS_REGIONAL_ENDPOINTS
|
||||||
|
value: regional
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,19 +1,19 @@
|
|||||||
{{- define "aws-efs-csi-driver-values" }}
|
{{- define "aws-efs-csi-driver-values" }}
|
||||||
{{- with index .Values "aws-efs-csi-driver" "nodeSelector" }}
|
{{ with index .Values "aws-efs-csi-driver" "IamArn" }}
|
||||||
aws-efs-csi-driver:
|
aws-efs-csi-driver:
|
||||||
nodeSelector:
|
controller:
|
||||||
{{- toYaml . | nindent 4 }}
|
extraEnv:
|
||||||
|
- name: AWS_ROLE_ARN
|
||||||
|
value: "{{ . }}"
|
||||||
|
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
||||||
|
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
|
||||||
|
- name: AWS_STS_REGIONAL_ENDPOINTS
|
||||||
|
value: regional
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }}
|
{{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }}
|
||||||
PersistentVolumes:
|
PersistentVolumes:
|
||||||
{{- toYaml . | nindent 2 }}
|
{{- toYaml . | nindent 2 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if index .Values "aws-efs-csi-driver" "EfsId" }}
|
|
||||||
PersistentVolume:
|
|
||||||
create: true
|
|
||||||
EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }}
|
|
||||||
Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
@ -4,8 +4,27 @@ localCA:
|
|||||||
enabled: true
|
enabled: true
|
||||||
{{ with index .Values "cert-manager" "IamArn" }}
|
{{ with index .Values "cert-manager" "IamArn" }}
|
||||||
cert-manager:
|
cert-manager:
|
||||||
podAnnotations:
|
extraEnv:
|
||||||
iam.amazonaws.com/role: "{{ . }}"
|
- name: AWS_ROLE_ARN
|
||||||
|
value: "{{ . }}"
|
||||||
|
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
||||||
|
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
|
||||||
|
- name: AWS_STS_REGIONAL_ENDPOINTS
|
||||||
|
value: regional
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
- name: aws-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: token
|
||||||
|
expirationSeconds: 86400
|
||||||
|
audience: "sts.amazonaws.com"
|
||||||
|
|
||||||
|
volumeMounts:
|
||||||
|
- name: aws-token
|
||||||
|
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
|
||||||
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- with index .Values "cert-manager" "clusterIssuer" }}
|
{{- with index .Values "cert-manager" "clusterIssuer" }}
|
||||||
|
@ -16,9 +16,22 @@ istio-ingress:
|
|||||||
{{- toYaml . | nindent 6 }}
|
{{- toYaml . | nindent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with index .Values "istio-ingress" "public" "dnsNames" }}
|
{{- with index .Values "istio-ingress" "public" "dnsNames" }}
|
||||||
|
# Legacy
|
||||||
dnsNames:
|
dnsNames:
|
||||||
{{- toYaml . | nindent 2 }}
|
{{- toYaml . | nindent 2 }}
|
||||||
|
|
||||||
|
certificates:
|
||||||
|
- name: ingress-cert
|
||||||
|
dnsNames:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
# New multi cert gateway
|
||||||
|
{{- range $cert := (index .Values "istio-ingress" "public" "certificates") }}
|
||||||
|
- name: {{ $cert.name }}
|
||||||
|
dnsNames:
|
||||||
|
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
proxyProtocol: {{ default false (index .Values "istio-ingress" "public" "proxyProtocol") }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if index .Values "istio-ingress" "private" }}
|
{{- if index .Values "istio-ingress" "private" }}
|
||||||
@ -32,9 +45,22 @@ istio-private-ingress:
|
|||||||
{{- toYaml . | nindent 6 }}
|
{{- toYaml . | nindent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with index .Values "istio-ingress" "private" "dnsNames" }}
|
{{- with index .Values "istio-ingress" "private" "dnsNames" }}
|
||||||
|
# Legacy
|
||||||
dnsNames:
|
dnsNames:
|
||||||
{{- toYaml . | nindent 2 }}
|
{{- toYaml . | nindent 2 }}
|
||||||
|
|
||||||
|
certificates:
|
||||||
|
- name: private-ingress-cert
|
||||||
|
dnsNames:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
# New multi cert gateway
|
||||||
|
{{- range $cert := (index .Values "istio-ingress" "private" "certificates") }}
|
||||||
|
- name: {{ $cert.name }}
|
||||||
|
dnsNames:
|
||||||
|
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
proxyProtocol: {{ default false (index .Values "istio-ingress" "private" "proxyProtocol") }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
Loading…
Reference in New Issue
Block a user