forked from bitnami-labs/sealed-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
controller-norbac.jsonnet
64 lines (57 loc) · 1.9 KB
/
controller-norbac.jsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
// Minimal required deployment for a functional controller.
local namespace = 'kube-system';
{
kube:: (import 'vendor_jsonnet/kube-libsonnet/kube.libsonnet') {
// v1beta2 deprecated in k8s 1.16. v1 can be used since 1.9. We currently officially support only >= 1.13
// TODO(mkm): remove this override once https://github.com/bitnami-labs/kube-libsonnet/pull/23 lands
// and we upgrade kube-libsonnet
Deployment(name): super.Deployment(name) {
apiVersion: 'apps/v1',
},
},
local kube = self.kube,
controllerImage:: std.extVar('CONTROLLER_IMAGE'),
imagePullPolicy:: std.extVar('IMAGE_PULL_POLICY'),
crd: kube.CustomResourceDefinition('bitnami.com', 'v1alpha1', 'SealedSecret'),
namespace:: { metadata+: { namespace: namespace } },
service: kube.Service('sealed-secrets-controller') + $.namespace {
target_pod: $.controller.spec.template,
},
controller: kube.Deployment('sealed-secrets-controller') + $.namespace {
spec+: {
template+: {
spec+: {
containers_+: {
controller: kube.Container('sealed-secrets-controller') {
image: $.controllerImage,
imagePullPolicy: $.imagePullPolicy,
command: ['controller'],
readinessProbe: {
httpGet: { path: '/healthz', port: 'http' },
},
livenessProbe: self.readinessProbe,
ports_+: {
http: { containerPort: 8080 },
},
securityContext+: {
readOnlyRootFilesystem: true,
runAsNonRoot: true,
runAsUser: 1001,
},
volumeMounts_+: {
tmp: {
mountPath: '/tmp',
},
},
},
},
volumes_+: {
tmp: {
emptyDir: {},
},
},
},
},
},
},
}