forked from TrueCloudLab/certificates
351c01cf7e
* Do not allow pods in one namespace to create certificates for hostnames from another namespace. * Make cluster domain configurable, clean up shouldMutate() logic, and make namespace restrictions configurable with restrictCertificatesToNamespace. * Return certificate hostname validation errors in the admission webhook response. * Appease the gometalinter.
108 lines
2.6 KiB
YAML
108 lines
2.6 KiB
YAML
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels: {app: autocert}
|
|
name: autocert
|
|
namespace: step
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- port: 443
|
|
targetPort: 4443
|
|
selector: {app: autocert}
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: autocert-config
|
|
namespace: step
|
|
data:
|
|
config.yaml: |
|
|
logFormat: json # or text
|
|
restrictCertificatesToNamespace: true
|
|
clusterDomain: cluster.local
|
|
caUrl: https://ca.step.svc.cluster.local
|
|
certLifetime: 24h
|
|
renewer:
|
|
name: autocert-renewer
|
|
image: smallstep/autocert-renewer:0.8.3
|
|
resources: {requests: {cpu: 10m, memory: 20Mi}}
|
|
imagePullPolicy: IfNotPresent
|
|
volumeMounts:
|
|
- name: certs
|
|
mountPath: /var/run/autocert.step.sm
|
|
bootstrapper:
|
|
name: autocert-bootstrapper
|
|
image: smallstep/autocert-bootstrapper:0.8.3
|
|
resources: {requests: {cpu: 10m, memory: 20Mi}}
|
|
imagePullPolicy: IfNotPresent
|
|
volumeMounts:
|
|
- name: certs
|
|
mountPath: /var/run/autocert.step.sm
|
|
certsVolume:
|
|
name: certs
|
|
emptyDir: {}
|
|
|
|
---
|
|
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: autocert
|
|
namespace: step
|
|
labels: {app: autocert}
|
|
spec:
|
|
replicas: 1
|
|
selector: {matchLabels: {app: autocert}}
|
|
template:
|
|
metadata: {labels: {app: autocert}}
|
|
spec:
|
|
containers:
|
|
- name: autocert
|
|
image: smallstep/autocert-controller:0.8.3
|
|
resources: {requests: {cpu: 100m, memory: 20Mi}}
|
|
env:
|
|
- name: PROVISIONER_NAME
|
|
value: autocert
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /home/step/.step/config
|
|
readOnly: true
|
|
- name: certs
|
|
mountPath: /home/step/.step/certs
|
|
readOnly: true
|
|
- name: autocert-password
|
|
mountPath: /home/step/password
|
|
readOnly: true
|
|
- name: autocert-config
|
|
mountPath: /home/step/autocert
|
|
readOnly: true
|
|
securityContext:
|
|
runAsUser: 1000
|
|
allowPrivilegeEscalation: false
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 4443
|
|
scheme: HTTPS
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 4443
|
|
scheme: HTTPS
|
|
volumes:
|
|
- name: config
|
|
configMap: {name: config}
|
|
- name: certs
|
|
configMap: {name: certs}
|
|
- name: autocert-password
|
|
secret: {secretName: autocert-password}
|
|
- name: autocert-config
|
|
configMap: {name: autocert-config}
|
|
|