forked from hashicorp/consul-k8s
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request hashicorp#447 from hashicorp/create-federation-secret
New create-federation-secret job
- Loading branch information
Showing
18 changed files
with
742 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| {{- if .Values.global.federation.createFederationSecret }} | ||
| {{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} | ||
| {{- if and (not .Values.global.acls.createReplicationToken) (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} | ||
| apiVersion: batch/v1 | ||
| kind: Job | ||
| metadata: | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| labels: | ||
| app: {{ template "consul.name" . }} | ||
| chart: {{ template "consul.chart" . }} | ||
| heritage: {{ .Release.Service }} | ||
| release: {{ .Release.Name }} | ||
| component: create-federation-secret | ||
| annotations: | ||
| "helm.sh/hook": post-install,post-upgrade | ||
| {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} | ||
| "helm.sh/hook-weight": "1" | ||
| "helm.sh/hook-delete-policy": hook-succeeded | ||
| spec: | ||
| template: | ||
| metadata: | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| labels: | ||
| app: {{ template "consul.name" . }} | ||
| chart: {{ template "consul.chart" . }} | ||
| release: {{ .Release.Name }} | ||
| component: create-federation-secret | ||
| annotations: | ||
| "consul.hashicorp.com/connect-inject": "false" | ||
| spec: | ||
| restartPolicy: Never | ||
| serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret | ||
| volumes: | ||
| {{- /* We can assume tls is enabled because there is a check in server-statefulset | ||
| that requires tls to be enabled if federation is enabled. */}} | ||
| - name: consul-ca-cert | ||
| secret: | ||
| {{- if .Values.global.tls.caCert.secretName }} | ||
| secretName: {{ .Values.global.tls.caCert.secretName }} | ||
| {{- else }} | ||
| secretName: {{ template "consul.fullname" . }}-ca-cert | ||
| {{- end }} | ||
| items: | ||
| - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} | ||
| path: tls.crt | ||
| - name: consul-ca-key | ||
| secret: | ||
| {{- if .Values.global.tls.caKey.secretName }} | ||
| secretName: {{ .Values.global.tls.caKey.secretName }} | ||
| {{- else }} | ||
| secretName: {{ template "consul.fullname" . }}-ca-key | ||
| {{- end }} | ||
| items: | ||
| - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} | ||
| path: tls.key | ||
| {{- /* We must incude both auto-encrypt and server CAs because we make API calls to the local | ||
| Consul client (requiring the auto-encrypt CA) but the secret generated must include the server CA */}} | ||
| {{- if .Values.global.tls.enableAutoEncrypt }} | ||
| - name: consul-auto-encrypt-ca-cert | ||
| emptyDir: | ||
| medium: "Memory" | ||
| {{- end }} | ||
| {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} | ||
| - name: gossip-encryption-key | ||
| secret: | ||
| secretName: {{ .Values.global.gossipEncryption.secretName }} | ||
| items: | ||
| - key: {{ .Values.global.gossipEncryption.secretKey }} | ||
| path: gossip.key | ||
| {{- end }} | ||
|
|
||
| {{- if .Values.global.tls.enableAutoEncrypt }} | ||
| initContainers: | ||
| {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} | ||
| {{- end }} | ||
|
|
||
| containers: | ||
| - name: create-federation-secret | ||
| image: "{{ .Values.global.imageK8S }}" | ||
| env: | ||
| - name: NAMESPACE | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: metadata.namespace | ||
| - name: HOST_IP | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: status.hostIP | ||
| - name: CONSUL_HTTP_ADDR | ||
| value: https://$(HOST_IP):8501 | ||
| - name: CONSUL_CACERT | ||
| {{- if .Values.global.tls.enableAutoEncrypt }} | ||
| value: /consul/tls/client/ca/tls.crt | ||
| {{- else }} | ||
| value: /consul/tls/ca/tls.crt | ||
| {{- end }} | ||
| volumeMounts: | ||
| - name: consul-ca-cert | ||
| mountPath: /consul/tls/ca | ||
| readOnly: true | ||
| - name: consul-ca-key | ||
| mountPath: /consul/tls/server/ca | ||
| readOnly: true | ||
| {{- if .Values.global.tls.enableAutoEncrypt }} | ||
| - name: consul-auto-encrypt-ca-cert | ||
| mountPath: /consul/tls/client/ca | ||
| readOnly: true | ||
| {{- end }} | ||
| {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} | ||
| - name: gossip-encryption-key | ||
| mountPath: /consul/gossip | ||
| readOnly: true | ||
| {{- end }} | ||
| command: | ||
| - "/bin/sh" | ||
| - "-ec" | ||
| - | | ||
| consul-k8s create-federation-secret \ | ||
| {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} | ||
| -gossip-key-file=/consul/gossip/gossip.key \ | ||
| {{- end }} | ||
| {{- if .Values.global.acls.createReplicationToken }} | ||
| -export-replication-token=true \ | ||
| {{- end }} | ||
| -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ | ||
| -k8s-namespace="${NAMESPACE}" \ | ||
| -resource-prefix="{{ template "consul.fullname" . }}" \ | ||
| -server-ca-cert-file=/consul/tls/ca/tls.crt \ | ||
| -server-ca-key-file=/consul/tls/server/ca/tls.key | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| {{- if .Values.global.enablePodSecurityPolicies }} | ||
| {{- if .Values.global.federation.createFederationSecret }} | ||
| apiVersion: policy/v1beta1 | ||
| kind: PodSecurityPolicy | ||
| metadata: | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| labels: | ||
| app: {{ template "consul.name" . }} | ||
| chart: {{ template "consul.chart" . }} | ||
| heritage: {{ .Release.Service }} | ||
| release: {{ .Release.Name }} | ||
| annotations: | ||
| "helm.sh/hook": post-install,post-upgrade | ||
| "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation | ||
| spec: | ||
| privileged: false | ||
| # Required to prevent escalations to root. | ||
| allowPrivilegeEscalation: false | ||
| # This is redundant with non-root + disallow privilege escalation, | ||
| # but we can provide it for defense in depth. | ||
| requiredDropCapabilities: | ||
| - ALL | ||
| # Allow core volume types. | ||
| volumes: | ||
| - 'secret' | ||
| - 'emptyDir' | ||
| hostNetwork: false | ||
| hostIPC: false | ||
| hostPID: false | ||
| runAsUser: | ||
| rule: 'RunAsAny' | ||
| seLinux: | ||
| rule: 'RunAsAny' | ||
| supplementalGroups: | ||
| rule: 'RunAsAny' | ||
| fsGroup: | ||
| rule: 'RunAsAny' | ||
| readOnlyRootFilesystem: false | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| {{- if .Values.global.federation.createFederationSecret }} | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: Role | ||
| metadata: | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| namespace: {{ .Release.Namespace }} | ||
| labels: | ||
| app: {{ template "consul.name" . }} | ||
| chart: {{ template "consul.chart" . }} | ||
| heritage: {{ .Release.Service }} | ||
| release: {{ .Release.Name }} | ||
| component: create-federation-secret | ||
| annotations: | ||
| "helm.sh/hook": post-install,post-upgrade | ||
| "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation | ||
| rules: | ||
| {{/* Must have separate rule for create secret permissions vs update because | ||
| can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} | ||
| - apiGroups: [""] | ||
| resources: | ||
| - secrets | ||
| verbs: | ||
| - create | ||
| - apiGroups: [""] | ||
| resources: | ||
| - secrets | ||
| resourceNames: | ||
| - {{ template "consul.fullname" . }}-federation | ||
| verbs: | ||
| - update | ||
| {{- if or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs }} | ||
| - apiGroups: [""] | ||
| resources: | ||
| - secrets | ||
| resourceNames: | ||
| - {{ template "consul.fullname" . }}-acl-replication-acl-token | ||
| verbs: | ||
| - get | ||
| {{- end }} | ||
| {{- if .Values.global.enablePodSecurityPolicies }} | ||
| - apiGroups: ["policy"] | ||
| resources: | ||
| - podsecuritypolicies | ||
| verbs: | ||
| - use | ||
| resourceNames: | ||
| - {{ template "consul.fullname" . }}-create-federation-secret | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| {{- if .Values.global.federation.createFederationSecret }} | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: RoleBinding | ||
| metadata: | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| namespace: {{ .Release.Namespace }} | ||
| labels: | ||
| app: {{ template "consul.name" . }} | ||
| chart: {{ template "consul.chart" . }} | ||
| heritage: {{ .Release.Service }} | ||
| release: {{ .Release.Name }} | ||
| component: create-federation-secret | ||
| annotations: | ||
| "helm.sh/hook": post-install,post-upgrade | ||
| "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| {{- if .Values.global.federation.createFederationSecret }} | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: {{ template "consul.fullname" . }}-create-federation-secret | ||
| namespace: {{ .Release.Namespace }} | ||
| labels: | ||
| app: {{ template "consul.name" . }} | ||
| chart: {{ template "consul.chart" . }} | ||
| heritage: {{ .Release.Service }} | ||
| release: {{ .Release.Name }} | ||
| component: create-federation-secret | ||
| annotations: | ||
| "helm.sh/hook": post-install,post-upgrade | ||
| "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation | ||
| {{- with .Values.global.imagePullSecrets }} | ||
| imagePullSecrets: | ||
| {{- range . }} | ||
| - name: {{ .name }} | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -45,4 +45,4 @@ rules: | |
| - use | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- end }} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.