weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
e1e30f6c18
cert-manager/deploy/chart/webhook/templates/ca-sync.yaml
Chris Boot e1e30f6c18 Fix CronJob schedule for in webhook chart 
The current schedule (* * */24 * *) effectively causes the CronJob to
run on the 24th of every month only, and on the 24th it runs every
single minute (1440 times). The itention was to have it run daily, but I
suspect that running it weekly should be plenty good enough.

This fixes helm/charts#8077.

Signed-off-by: Chris Boot <bootc@bootc.net>
2019-01-08 22:51:31 +00:00

173 lines
5.1 KiB
YAML
Raw Blame History

## This file contains a CronJob that runs every week to automatically update the
## caBundle set on the APIService and ValidatingWebhookConfiguration resource.
## This allows us to store the CA bundle in a Secret resource which is
## generated by cert-manager's 'selfsigned' Issuer.
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
schedule: "@weekly"
jobTemplate:
spec:
template:
metadata:
labels:
app: ca-helper
spec:
serviceAccountName: {{ include "webhook.fullname" . }}-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
image: {{ .Values.caSyncImage.repository }}:{{ .Values.caSyncImage.tag }}
imagePullPolicy: {{ .Values.caSyncImage.pullPolicy }}
args:
- -config=/config/config
volumeMounts:
- name: config
mountPath: /config
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
volumes:
- name: config
configMap:
name: {{ include "webhook.fullname" . }}-ca-sync
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
labels:
app: ca-helper
spec:
serviceAccountName: {{ include "webhook.fullname" . }}-ca-sync
restartPolicy: OnFailure
containers:
- name: ca-helper
image: {{ .Values.caSyncImage.repository }}:{{ .Values.caSyncImage.tag }}
imagePullPolicy: {{ .Values.caSyncImage.pullPolicy }}
args:
- -config=/config/config
volumeMounts:
- name: config
mountPath: /config
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
volumes:
- name: config
configMap:
name: {{ include "webhook.fullname" . }}-ca-sync
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
config: |-
{
"apiServices": [
{
"name": "v1beta1.admission.certmanager.k8s.io",
"secret": {
"name": "{{ include "webhook.rootCACertificate" . }}",
"namespace": "{{ .Release.Namespace }}",
"key": "tls.crt"
}
}
],
"validatingWebhookConfigurations": [
{
"name": "{{ include "webhook.fullname" . }}",
"file": {
"path": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
}
}
]
}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
- {{ include "webhook.rootCACertificate" . }}
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "update"]
resourceNames:
- {{ include "webhook.fullname" . }}
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "update"]
resourceNames:
- v1beta1.admission.certmanager.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ include "webhook.fullname" . }}-ca-sync
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "webhook.fullname" . }}-ca-sync
subjects:
- name: {{ include "webhook.fullname" . }}-ca-sync
namespace: {{ .Release.Namespace }}
kind: ServiceAccount
Reference in New Issue View Git Blame Copy Permalink