From 91b41779feb3dc875f337de2e6fa8249e4faf317 Mon Sep 17 00:00:00 2001 From: "Adam C. Migus" Date: Fri, 11 Feb 2022 23:35:29 -0500 Subject: [PATCH] Use Helm. (#5) * Add charts/dsv-injector * Remove deployments/*, tests/Dockerfile, ... --- build/Dockerfile => Dockerfile | 0 Makefile | 121 ++++-------------- charts/dsv-injector/.helmignore | 23 ++++ charts/dsv-injector/Chart.yaml | 14 ++ charts/dsv-injector/templates/_helpers.tpl | 62 +++++++++ .../dsv-injector/templates/cert-secret.yaml | 8 ++ charts/dsv-injector/templates/deployment.yaml | 54 ++++++++ .../dsv-injector/templates/roles-secret.yaml | 7 + charts/dsv-injector/templates/service.yaml | 28 ++++ .../templates/serviceaccount.yaml | 12 ++ charts/dsv-injector/templates/webhook.yaml | 22 ++++ charts/dsv-injector/values.yaml | 102 +++++++++++++++ deployments/host.yml | 22 ---- deployments/pod.yml | 47 ------- deployments/webhook.yml | 21 --- test/Dockerfile | 11 -- test/registry.yml | 62 --------- 17 files changed, 356 insertions(+), 260 deletions(-) rename build/Dockerfile => Dockerfile (100%) create mode 100644 charts/dsv-injector/.helmignore create mode 100644 charts/dsv-injector/Chart.yaml create mode 100644 charts/dsv-injector/templates/_helpers.tpl create mode 100644 charts/dsv-injector/templates/cert-secret.yaml create mode 100644 charts/dsv-injector/templates/deployment.yaml create mode 100644 charts/dsv-injector/templates/roles-secret.yaml create mode 100644 charts/dsv-injector/templates/service.yaml create mode 100644 charts/dsv-injector/templates/serviceaccount.yaml create mode 100644 charts/dsv-injector/templates/webhook.yaml create mode 100644 charts/dsv-injector/values.yaml delete mode 100644 deployments/host.yml delete mode 100644 deployments/pod.yml delete mode 100644 deployments/webhook.yml delete mode 100644 test/Dockerfile delete mode 100644 test/registry.yml diff --git a/build/Dockerfile b/Dockerfile similarity index 100% rename from build/Dockerfile rename to Dockerfile diff --git a/Makefile b/Makefile index 0958404..18af078 100644 --- a/Makefile +++ b/Makefile @@ -3,111 +3,38 @@ VERSION?=latest IMAGE_TAG=$(NAME):$(VERSION) -DOCKER=docker -# Podman also works but it assumes that the registry is HTTPS... -#DOCKER=podman -#DOCKER_PUSH_ARGS=--tls-verify=false - -# Use the Minikube built-in kubectl by default -KUBECTL=minikube kubectl -- - -all: image - -# Look for a 'registry' service on the cluster unless given one as an argument -REGISTRY?=$(shell $(KUBECTL) get --ignore-not-found -n kube-system service \ - registry -o jsonpath="{.spec.clusterIP}{':'}{.spec.ports[0].port}") -registry: -ifeq ($(REGISTRY),) - @echo enabling the Minikube registry addon - @minikube addons enable registry && sleep 6 -REGISTRY=$(shell $(KUBECTL) get -n kube-system service registry -o \ - jsonpath="{.spec.clusterIP}{':'}{.spec.ports[0].port}") -endif - -# Build, tag and push the dsv-injector service πŸ“¦ -image: registry - $(DOCKER) build . -t $(IMAGE_TAG) -f build/Dockerfile $(DOCKER_BUILD_ARGS) - $(DOCKER) tag $(DOCKER_TAG_ARGS) $(IMAGE_TAG) $(REGISTRY)/$(IMAGE_TAG) - $(DOCKER) push $(DOCKER_PUSH_ARGS) $(REGISTRY)/$(IMAGE_TAG) +HELM_CHART:=charts/$(NAME) -### The remainder builds and deploys a test injector-svc β˜‘οΈ - -# The CA certificate of the Kubernetes cluster πŸ” -CA_CRT?=${HOME}/.minikube/ca.crt - -# See the "CA certificate" section of README.md πŸ“– -CA_BUNDLE?=$(shell base64 -w0 $(CA_CRT)) +DOCKER=docker +HELM=helm # The Kubernetes Namespace in which to deploy πŸ“ NAMESPACE?=default -# The JSON file containing a mapping of DSV role names to tenant/credentials πŸ”‘ -ROLES_FILE?=configs/roles.json - -# The IP address of the host running the dsv-injector service πŸ–₯️ -SERVICE_IP?=$(shell ip route get 1.1.1.1 | grep -oP 'src \K\S+') +CA_BUNDLE?=${HOME}/.minikube/ca.crt -# The TCP port on which the service should listen 🌐 -SERVICE_PORT?=8543 +ROLES_JSON?=configs/roles.json -TEST_IMAGE_TAG?=$(NAME)-test:$(VERSION) +.PHONY: image -IMAGE_PULL_POLICY=Always +all: install -BUILD_DIR=target - -$(BUILD_DIR): - mkdir -p $(BUILD_DIR) - -deploy_webhook: $(BUILD_DIR) - sed -e "s| namespace: .*$$| namespace: $(NAMESPACE)|" \ - -e "s| port: [0-9]*.*$$| port: $(SERVICE_PORT)|" \ - -e "s|caBundle:.*$$|caBundle: $(CA_BUNDLE)|" \ - deployments/webhook.yml >| $(BUILD_DIR)/webhook.yml - $(KUBECTL) apply -f $(BUILD_DIR)/webhook.yml +# Build the dsv-injector service image πŸ“¦ +image: + $(DOCKER) build . -t $(IMAGE_TAG) $(DOCKER_BUILD_ARGS) # Get a certificate from the Kubernetes cluster CA -$(BUILD_DIR)/$(NAME).key $(BUILD_DIR)/$(NAME).pem: $(BUILD_DIR) - sh scripts/get_cert.sh -n "$(NAME)" -N "$(NAMESPACE)" -d "$(BUILD_DIR)" - -dsv-injector-svc: cmd/dsv-injector-svc.go - go build $< - -# Deploy the service that the webhook uses as a pointer to the host -deploy_host: deploy_webhook $(BUILD_DIR)/$(NAME).key $(BUILD_DIR)/$(NAME).pem dsv-injector-svc - sed -e "s| namespace: .*$$| namespace: $(NAMESPACE)|" \ - -e "s|- port: [0-9]*.*$$|- port: $(SERVICE_PORT)|" \ - -e "s|- ip: *\"[0-9].*$$|- ip: \"$(SERVICE_IP)\"|" \ - deployments/host.yml >| $(BUILD_DIR)/host.yml - $(KUBECTL) apply -f $(BUILD_DIR)/host.yml - -# Create the test image Dockerfile -$(BUILD_DIR)/Dockerfile: registry test/Dockerfile $(BUILD_DIR) - sed -e "s|^FROM $(NAME):.*|FROM $(REGISTRY)/$(IMAGE_TAG)|" \ - test/Dockerfile >| $(BUILD_DIR)/Dockerfile - -# Build the test image πŸ₯ΌπŸ₯½πŸ§ͺ -test_image: registry image $(BUILD_DIR)/$(NAME).key $(BUILD_DIR)/$(NAME).pem $(BUILD_DIR)/Dockerfile - $(DOCKER) build . -t $(TEST_IMAGE_TAG) -f $(BUILD_DIR)/Dockerfile $(DOCKER_BUILD_ARGS) \ - --build-arg cert_file="$(BUILD_DIR)/$(NAME).pem" \ - --build-arg key_file="$(BUILD_DIR)/$(NAME).key" \ - --build-arg roles_file="$(ROLES_FILE)" - $(DOCKER) tag $(DOCKER_TAG_ARGS) $(TEST_IMAGE_TAG) $(REGISTRY)/$(TEST_IMAGE_TAG) - $(DOCKER) push $(DOCKER_PUSH_ARGS) $(REGISTRY)/$(TEST_IMAGE_TAG) - -# Deploy the test image that includes the certficate and roles.json βš οΈπŸ”“πŸ˜§ -deploy: deploy_webhook test_image - sed -e "s| namespace: .*$$| namespace: $(NAMESPACE)|" \ - -e "s|- port: [0-9]*.*$$|- port: $(SERVICE_PORT)|" \ - -e "s|imagePullPolicy:.*$$|imagePullPolicy: $(IMAGE_PULL_POLICY)|" \ - -e "s|image:.*$$|image: $(REGISTRY)/$(TEST_IMAGE_TAG)|" \ - deployments/pod.yml >| $(BUILD_DIR)/pod.yml - $(KUBECTL) apply -f $(BUILD_DIR)/pod.yml - -deploy_clean: - $(KUBECTL) delete --ignore-not-found deployments $(NAME) - $(KUBECTL) delete --ignore-not-found service $(NAME) - $(KUBECTL) delete --ignore-not-found mutatingwebhookconfigurations.admissionregistration.k8s.io $(NAME) - -clean: deploy_clean - rm -rf $(BUILD_DIR) dsv-injector-svc +$(HELM_CHART)/$(NAME).key $(HELM_CHART)/$(NAME).pem: + sh scripts/get_cert.sh -n "$(NAME)" -d "$(HELM_CHART)" -N "$(NAMESPACE)" + -rm -f $(HELM_CHART)/$(NAME).csr + +install: $(HELM_CHART)/$(NAME).key $(HELM_CHART)/$(NAME).pem image + $(HELM) install $(HELM_INSTALL_ARGS) \ + --set-file caBundle=$(CA_BUNDLE) \ + --set-file rolesJson=$(ROLES_JSON) \ + $(NAME) $(HELM_CHART) + +clean: + $(HELM) uninstall $(NAME) + $(DOCKER) rmi -f $(IMAGE_TAG) + -rm -f $(HELM_CHART)/$(NAME).key $(HELM_CHART)/$(NAME).pem diff --git a/charts/dsv-injector/.helmignore b/charts/dsv-injector/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/dsv-injector/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/dsv-injector/Chart.yaml b/charts/dsv-injector/Chart.yaml new file mode 100644 index 0000000..3208475 --- /dev/null +++ b/charts/dsv-injector/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: dsv-injector +description: A Helm chart for the Delinea DevOps Secrets Vault (DSV) Injector Mutating Webhook. +keywords: + - Delinea + - DevOps + - DSV + - secrets + - vault +type: application +version: 0.1.0 +appVersion: latest +maintainers: + - name: Adam Migus diff --git a/charts/dsv-injector/templates/_helpers.tpl b/charts/dsv-injector/templates/_helpers.tpl new file mode 100644 index 0000000..e6fa810 --- /dev/null +++ b/charts/dsv-injector/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "dsv.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dsv.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dsv.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "dsv.labels" -}} +helm.sh/chart: {{ include "dsv.chart" . }} +{{ include "dsv.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "dsv.selectorLabels" -}} +app.kubernetes.io/name: {{ include "dsv.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "dsv.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "dsv.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/dsv-injector/templates/cert-secret.yaml b/charts/dsv-injector/templates/cert-secret.yaml new file mode 100644 index 0000000..b1077c7 --- /dev/null +++ b/charts/dsv-injector/templates/cert-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "dsv.name" . }}-cert +data: + cert: {{ .Files.Get "dsv-injector.pem" | b64enc }} + key: {{ .Files.Get "dsv-injector.key" | b64enc }} +type: Opaque diff --git a/charts/dsv-injector/templates/deployment.yaml b/charts/dsv-injector/templates/deployment.yaml new file mode 100644 index 0000000..45b759c --- /dev/null +++ b/charts/dsv-injector/templates/deployment.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "dsv.fullname" . }} + labels: + {{- include "dsv.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "dsv.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "dsv.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + command: ["dsv-injector-svc", "-cert", "/tls/cert", "-key", "/tls/key", "-roles", "/roles/json" ] + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.containerPort }} + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: cert + readOnly: true + mountPath: /tls + - name: roles + readOnly: true + mountPath: /roles + serviceAccountName: {{ include "dsv.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + volumes: + - name: roles + secret: + secretName: {{ include "dsv.name" . }}-roles + - name: cert + secret: + secretName: {{ include "dsv.name" . }}-cert diff --git a/charts/dsv-injector/templates/roles-secret.yaml b/charts/dsv-injector/templates/roles-secret.yaml new file mode 100644 index 0000000..32bced0 --- /dev/null +++ b/charts/dsv-injector/templates/roles-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "dsv.name" . }}-roles +data: + json: {{ .Values.rolesJson | b64enc }} +type: Opaque diff --git a/charts/dsv-injector/templates/service.yaml b/charts/dsv-injector/templates/service.yaml new file mode 100644 index 0000000..09087c3 --- /dev/null +++ b/charts/dsv-injector/templates/service.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "dsv.fullname" . }} + labels: + {{- include "dsv.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.webhookPort }} + targetPort: {{ .Values.containerPort }} + selector: + {{- include "dsv.selectorLabels" . | nindent 4 }} + type: {{ .Values.service.type }} +{{- if eq .Values.service.type "ClusterIP" -}} +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: {{ include "dsv.fullname" . }} + labels: + {{- include "dsv.labels" . | nindent 4 }} +subsets: + - addresses: + - ip: {{ .Values.service.ipAddress }} + ports: + - port: 8543 +{{- end -}} diff --git a/charts/dsv-injector/templates/serviceaccount.yaml b/charts/dsv-injector/templates/serviceaccount.yaml new file mode 100644 index 0000000..458c788 --- /dev/null +++ b/charts/dsv-injector/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "dsv.serviceAccountName" . }} + labels: + {{- include "dsv.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/dsv-injector/templates/webhook.yaml b/charts/dsv-injector/templates/webhook.yaml new file mode 100644 index 0000000..a8e3132 --- /dev/null +++ b/charts/dsv-injector/templates/webhook.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "dsv.name" . }} + labels: + {{- include "dsv.labels" . | nindent 4 }} +webhooks: + - name: {{ include "dsv.fullname" . }}.default.svc + sideEffects: {{ default "None" .Values.sideEffects }} + admissionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: {{ include "dsv.name" . }} + namespace: {{ .Release.Namespace }} + path: {{ .Values.webhookUri }} + port: {{ .Values.webhookPort }} + caBundle: {{ .Values.caBundle | b64enc }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["secrets"] diff --git a/charts/dsv-injector/values.yaml b/charts/dsv-injector/values.yaml new file mode 100644 index 0000000..8336a21 --- /dev/null +++ b/charts/dsv-injector/values.yaml @@ -0,0 +1,102 @@ +# Default values for the Delina DevOps Secrets Vault (DSV) Secrets Injector +# Kubernetes API Server Mutating Webhook. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: thycotic/dsv-injector + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: LoadBalancer + port: 8543 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# webhookUri is path portion of the URL of the webhook endpoint +webhookUri: /inject +# webhookPort is the port that the webhook endpoint is listening on +webhookPort: 8543 +# containerPort is the port that the container itself listens on +containerPort: 18543 + +# rolesJson contains the JSON-formatted roles file (see README.md) +rolesJson: >- + { + "default": { + "credentials": { + "clientId": "89abcdef-1234-5678-abcd-1234567890ab", + "clientSecret": "ZW5jcnlwdGVkIHNlY3JldCDwn6Sr" + }, + "tenant": "example" + } + } + +# caBundle contains the CA certificate chain in Base64, of course. +# For Minikube it's the contents of ${HOME}/.minikube/ca.crt +caBundle: |- + -----BEGIN CERTIFICATE----- + MIIEJzCCAw+gAwIBAgIUFYI0CRYg7DBEfI5jryJIaCMl9r4wDQYJKoZIhvcNAQEL + BQAwgaIxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1XYXNoaW5ndG9uIERDMRYwFAYD + VQQHDA1XYXNoaW5ndG9uIERDMRAwDgYDVQQKDAdEZWxpbmVhMRUwEwYDVQQLDAxI + ZWFkcXVhcnRlcnMxFjAUBgNVBAMMDWRlbGluZWEubG9jYWwxIjAgBgkqhkiG9w0B + CQEWE2NvbnRhY3RAZGVsaW5lYS5jb20wHhcNMjIwMjEyMDM0NDAzWhcNMjcwMjEx + MDM0NDAzWjCBojELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVdhc2hpbmd0b24gREMx + FjAUBgNVBAcMDVdhc2hpbmd0b24gREMxEDAOBgNVBAoMB0RlbGluZWExFTATBgNV + BAsMDEhlYWRxdWFydGVyczEWMBQGA1UEAwwNZGVsaW5lYS5sb2NhbDEiMCAGCSqG + SIb3DQEJARYTY29udGFjdEBkZWxpbmVhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD + ggEPADCCAQoCggEBAPAWocg3GrGLBuTrQy+4r5aKsx6p9ad9iRbaLooMYanP+r3W + OhK8IlJNxaJXcq+3uoPoxvHXwxRyxquvM3nso5mg4+OJfR9MlYs/MSrCoT/ns9lq + 6WZC0zN8ehQC2ZR4uYMW20xcdYapXAHQESoTgSZ/N9Y9+okKIvJj3/lKLenbiAZL + +4CbtGHWOruh2G50/ZKanLogC2BpI0PqcOS70Y8DfhXRQsy2BitYpVuPPOARHE6a + PN2osWBJV1OZhPw+m0k3cworPlG5R5AEyeroSYLcdQ8tO8a4c1DmHcjdKvBNayTg + b3XhZqgLq1M/YW90lL/lCun7ICsq467x4EZJ/LMCAwEAAaNTMFEwHQYDVR0OBBYE + FIdBbv5Wc1X95Zh2s7OrTrRkayOsMB8GA1UdIwQYMBaAFIdBbv5Wc1X95Zh2s7Or + TrRkayOsMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBANGKXClP + aGqqIBskks2XgM3UNkD1SDBZsjw/s2meyxsN/3jbBKDOrqmvL0yP6Dvx/RejFQcS + SCA2ftGrq5XWpy5PU9VS+CnPNobqPpE/wxXIwi/n9n6H+7auUeWByZZrFRJPJyAL + asuE5ZwwtWju/5CfDcEcZIW6Ejj6U7NtHTv7MMfvpI/81aFddLPHbEQFrB+jLmG9 + zm/454p+IBnGrqxV6vbIVf+dSpSFpNOwGbMpS1TDkWCn8GiPLQDuNzKpvirULFvW + s1r5+1ed8Te1MsOzlUzUbr/3uPSfsHwqNEy0nXohLOK97+bkNVjtpS05iggWXWzk + mgQKmDhWWVG+p9c= + -----END CERTIFICATE----- diff --git a/deployments/host.yml b/deployments/host.yml deleted file mode 100644 index 2fd4456..0000000 --- a/deployments/host.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: dsv-injector - namespace: default -spec: - type: ClusterIP - ports: - - port: 8543 - targetPort: 18543 ---- -kind: Endpoints -apiVersion: v1 -metadata: - name: dsv-injector - namespace: default -subsets: - - addresses: - - ip: "192.168.1.1" - ports: - - port: 8543 diff --git a/deployments/pod.yml b/deployments/pod.yml deleted file mode 100644 index dbaba0e..0000000 --- a/deployments/pod.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dsv-injector - namespace: default - labels: - app: dsv-injector -spec: - replicas: 1 - selector: - matchLabels: - app: dsv-injector - template: - metadata: - labels: - app: dsv-injector - namespace: default - spec: - containers: - - name: dsv-injector - image: dsv-injector:latest - imagePullPolicy: IfNotPresent # No pull required in Minikube - resources: - requests: - memory: "512Mi" - cpu: "250m" - limits: - memory: "2048Mi" - cpu: "1000m" - ports: - - containerPort: 18543 ---- -apiVersion: v1 -kind: Service -metadata: - name: dsv-injector - namespace: default - labels: - app: dsv-injector -spec: - ports: - - port: 8543 - targetPort: 18543 - selector: - app: dsv-injector - type: LoadBalancer diff --git a/deployments/webhook.yml b/deployments/webhook.yml deleted file mode 100644 index 4188058..0000000 --- a/deployments/webhook.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: dsv-injector - labels: - app: dsv -webhooks: - - name: dsv.thycotic.com - clientConfig: - service: - name: dsv-injector - namespace: default - path: "/inject" - port: 8543 - caBundle: "" - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["secrets"] diff --git a/test/Dockerfile b/test/Dockerfile deleted file mode 100644 index d89e6b9..0000000 --- a/test/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM dsv-injector:latest - -ARG cert_file -ARG key_file -ARG roles_file - -COPY ${cert_file} ./dsv.pem -COPY ${key_file} ./dsv.key -COPY ${roles_file} ./roles.json - -ENTRYPOINT ["dsv-injector-svc", "-cert", "dsv.pem", "-key", "dsv.key", "-roles", "roles.json" ] diff --git a/test/registry.yml b/test/registry.yml deleted file mode 100644 index c7b8855..0000000 --- a/test/registry.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -apiVersion: v1 -kind: ReplicationController -metadata: - name: kube-registry-v0 - namespace: kube-system - labels: - k8s-app: kube-registry - version: v0 -spec: - replicas: 1 - selector: - k8s-app: kube-registry - version: v0 - template: - metadata: - labels: - k8s-app: kube-registry - version: v0 - spec: - containers: - - name: registry - image: registry:2.5.1 - resources: - requests: - memory: "512Mi" - cpu: "250m" - limits: - memory: "2048Mi" - cpu: "1000m" - env: - - name: REGISTRY_HTTP_ADDR - value: :5000 - - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY - value: /var/lib/registry - volumeMounts: - - name: image-store - mountPath: /var/lib/registry - ports: - - containerPort: 5000 - name: registry - protocol: TCP - volumes: - - name: image-store - hostPath: - path: /data/registry/ ---- -apiVersion: v1 -kind: Service -metadata: - name: kube-registry - namespace: kube-system - labels: - k8s-app: kube-registry -spec: - type: ClusterIP - selector: - k8s-app: kube-registry - ports: - - name: registry - port: 5000 - protocol: TCP