-
Notifications
You must be signed in to change notification settings - Fork 690
/
controller-norbac.jsonnet
100 lines (91 loc) · 2.7 KB
/
controller-norbac.jsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
// Minimal required deployment for a functional controller.
local kubecfg = import 'kubecfg.libsonnet';
local namespace = 'kube-system';
{
kube:: (import 'vendor_jsonnet/kube-libsonnet/kube.libsonnet'),
local kube = self.kube + import 'kube-fixes.libsonnet',
controllerImage:: std.extVar('CONTROLLER_IMAGE'),
imagePullPolicy:: local ext = std.extVar('IMAGE_PULL_POLICY'); if ext == '' then
if std.endsWith($.controllerImage, ':latest') then 'Always' else 'IfNotPresent'
else ext,
crd: kube.CustomResourceDefinition('bitnami.com', 'v1alpha1', 'SealedSecret') {
spec+: {
versions_+: {
v1alpha1+: {
served: true,
storage: true,
subresources: {
status: {},
},
schema: kubecfg.parseYaml(importstr 'schema-v1alpha1.yaml')[0],
},
},
},
},
namespace:: { metadata+: { namespace: namespace } },
service: kube.Service('sealed-secrets-controller') + $.namespace {
target_pod: $.controller.spec.template,
},
service_metrics: kube.Service('sealed-secrets-controller-metrics') + $.namespace {
local service = self,
target_pod: $.controller.spec.template,
spec: {
selector: service.target_pod.metadata.labels,
ports: [
{
port: 8081,
targetPort: 8081,
},
],
type: "ClusterIP",
},
},
controller: kube.Deployment('sealed-secrets-controller') + $.namespace {
spec+: {
template+: {
spec+: {
securityContext+: {
fsGroup: 65534,
runAsNonRoot: true,
runAsUser: 1001,
seccompProfile+: {
type: 'RuntimeDefault',
}
},
containers_+: {
controller: kube.Container('sealed-secrets-controller') {
image: $.controllerImage,
imagePullPolicy: $.imagePullPolicy,
command: ['controller'],
readinessProbe: {
httpGet: { path: '/healthz', port: 'http' },
},
livenessProbe: self.readinessProbe,
ports_+: {
http: { containerPort: 8080 },
metrics: { containerPort: 8081 },
},
securityContext+: {
allowPrivilegeEscalation: false,
capabilities+: {
drop: [ 'ALL' ],
},
readOnlyRootFilesystem: true,
},
volumeMounts_+: {
tmp: {
mountPath: '/tmp',
},
},
},
},
volumes_+: {
tmp: {
emptyDir: {},
},
},
},
},
},
},
}