certificates/autocert/install/02-autocert.yaml
Justin 351c01cf7e Do not allow pods in one namespace to create certificates for hostnames from another namespace. (#54)
* Do not allow pods in one namespace to create certificates for hostnames from another namespace.

* Make cluster domain configurable, clean up shouldMutate() logic, and make namespace restrictions configurable with restrictCertificatesToNamespace.

* Return certificate hostname validation errors in the admission webhook response.

* Appease the gometalinter.
2019-04-08 12:24:31 -07:00

108 lines
2.6 KiB
YAML

apiVersion: v1
kind: Service
metadata:
labels: {app: autocert}
name: autocert
namespace: step
spec:
type: ClusterIP
ports:
- port: 443
targetPort: 4443
selector: {app: autocert}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: autocert-config
namespace: step
data:
config.yaml: |
logFormat: json # or text
restrictCertificatesToNamespace: true
clusterDomain: cluster.local
caUrl: https://ca.step.svc.cluster.local
certLifetime: 24h
renewer:
name: autocert-renewer
image: smallstep/autocert-renewer:0.8.3
resources: {requests: {cpu: 10m, memory: 20Mi}}
imagePullPolicy: IfNotPresent
volumeMounts:
- name: certs
mountPath: /var/run/autocert.step.sm
bootstrapper:
name: autocert-bootstrapper
image: smallstep/autocert-bootstrapper:0.8.3
resources: {requests: {cpu: 10m, memory: 20Mi}}
imagePullPolicy: IfNotPresent
volumeMounts:
- name: certs
mountPath: /var/run/autocert.step.sm
certsVolume:
name: certs
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: autocert
namespace: step
labels: {app: autocert}
spec:
replicas: 1
selector: {matchLabels: {app: autocert}}
template:
metadata: {labels: {app: autocert}}
spec:
containers:
- name: autocert
image: smallstep/autocert-controller:0.8.3
resources: {requests: {cpu: 100m, memory: 20Mi}}
env:
- name: PROVISIONER_NAME
value: autocert
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: config
mountPath: /home/step/.step/config
readOnly: true
- name: certs
mountPath: /home/step/.step/certs
readOnly: true
- name: autocert-password
mountPath: /home/step/password
readOnly: true
- name: autocert-config
mountPath: /home/step/autocert
readOnly: true
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
livenessProbe:
httpGet:
path: /healthz
port: 4443
scheme: HTTPS
readinessProbe:
httpGet:
path: /healthz
port: 4443
scheme: HTTPS
volumes:
- name: config
configMap: {name: config}
- name: certs
configMap: {name: certs}
- name: autocert-password
secret: {secretName: autocert-password}
- name: autocert-config
configMap: {name: autocert-config}