Set TLS certificate for kube-rbac-proxy container

Deprecation warnings by #187 for insecure connection without TLS
medik8s · May 29, 2023 · f699a62 · f699a62
1 parent d02086d
commit f699a62
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml b/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml
@@ -202,6 +202,8 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=0
+                - --tls-cert-file=/etc/tls/tls.crt
+                - --tls-private-key-file=/etc/tls/tls.key
                 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
                 name: kube-rbac-proxy
                 ports:
@@ -220,6 +222,10 @@ spec:
                   capabilities:
                     drop:
                     - ALL
+                volumeMounts:
+                - mountPath: /etc/tls
+                  name: tls-secret
+                  readOnly: true
               - args:
                 - --health-probe-bind-address=:8081
                 - --metrics-bind-address=127.0.0.1:8080
@@ -263,6 +269,10 @@ spec:
                   type: RuntimeDefault
               serviceAccountName: fence-agents-remediation-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: tls-secret
+                secret:
+                  secretName: far-rbac-container-secret
       permissions:
       - rules:
         - apiGroups:

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -8,6 +8,10 @@ metadata:
 spec:
   template:
     spec:
+      volumes:
+      - name: tls-secret
+        secret:
+          secretName: far-rbac-container-secret
       containers:
       - name: kube-rbac-proxy
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
@@ -16,6 +20,12 @@ spec:
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
         - "--v=0"
+        - "--tls-cert-file=/etc/tls/tls.crt"
+        - "--tls-private-key-file=/etc/tls/tls.key"
+        volumeMounts:
+        - name: tls-secret
+          mountPath: /etc/tls
+          readOnly: true
         ports:
         - containerPort: 8443
           protocol: TCP