forked from bitnami-labs/sealed-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
controller.jsonnet
61 lines (54 loc) · 1.5 KB
/
controller.jsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
// This is the recommended cluster deployment of sealed-secrets.
// See controller-norbac.jsonnet for the bare minimum functionality.
local kube = import "kube.libsonnet";
local controller = import "controller-norbac.jsonnet";
controller + {
account: kube.ServiceAccount("sealed-secrets-controller") + $.namespace,
unsealerRole: kube.ClusterRole("secrets-unsealer") {
rules: [
{
apiGroups: ["bitnami.com"],
resources: ["sealedsecrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["create", "update", "delete"], // don't need get
},
],
},
unsealKeyRole: kube.Role("sealed-secrets-key-admin") + $.namespace {
rules: [
{
apiGroups: [""],
resources: ["secrets"],
resourceNames: ["sealed-secrets-key"],
verbs: ["get"],
},
{
apiGroups: [""],
resources: ["secrets"],
// Can't limit create by resourceName, because there's no resource yet
verbs: ["create"],
},
],
},
unsealerBinding: kube.ClusterRoleBinding("sealed-secrets-controller") {
roleRef_: $.unsealerRole,
subjects_+: [$.account],
},
unsealKeyBinding: kube.RoleBinding("sealed-secrets-controller") + $.namespace {
roleRef_: $.unsealKeyRole,
subjects_+: [$.account],
},
controller+: {
spec+: {
template+: {
spec+: {
serviceAccountName: $.account.metadata.name,
},
},
},
},
}