cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account (#14264)

cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account

Updates #14264

Signed-off-by: Oliver Rahner <o.rahner@dke-data.com>
This commit is contained in:
Oliver Rahner 2024-12-03 18:00:40 +01:00 committed by GitHub
parent efdfd54797
commit cbf1a4efe9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 30 additions and 4 deletions

View File

@ -36,8 +36,12 @@ spec:
{{- end }} {{- end }}
volumes: volumes:
- name: oauth - name: oauth
{{- with .Values.oauthSecretVolume }}
{{- toYaml . | nindent 10 }}
{{- else }}
secret: secret:
secretName: operator-oauth secretName: operator-oauth
{{- end }}
containers: containers:
- name: operator - name: operator
{{- with .Values.operatorConfig.securityContext }} {{- with .Values.operatorConfig.securityContext }}

View File

@ -6,6 +6,10 @@ kind: ServiceAccount
metadata: metadata:
name: operator name: operator
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
{{- with .Values.operatorConfig.serviceAccountAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole

View File

@ -3,11 +3,26 @@
# Operator oauth credentials. If set a Kubernetes Secret with the provided # Operator oauth credentials. If set a Kubernetes Secret with the provided
# values will be created in the operator namespace. If unset a Secret named # values will be created in the operator namespace. If unset a Secret named
# operator-oauth must be precreated. # operator-oauth must be precreated or oauthSecretVolume needs to be adjusted.
# This block will be overridden by oauthSecretVolume, if set.
oauth: {} oauth: {}
# clientId: "" # clientId: ""
# clientSecret: "" # clientSecret: ""
# Secret volume.
# If set it defines the volume the oauth secrets will be mounted from.
# The volume needs to contain two files named `client_id` and `client_secret`.
# If unset the volume will reference the Secret named operator-oauth.
# This block will override the oauth block.
oauthSecretVolume: {}
# csi:
# driver: secrets-store.csi.k8s.io
# readOnly: true
# volumeAttributes:
# secretProviderClass: tailscale-oauth
#
## NAME is pre-defined!
# installCRDs determines whether tailscale.com CRDs should be installed as part # installCRDs determines whether tailscale.com CRDs should be installed as part
# of chart installation. We do not use Helm's CRD installation mechanism as that # of chart installation. We do not use Helm's CRD installation mechanism as that
# does not allow for upgrading CRDs. # does not allow for upgrading CRDs.
@ -40,6 +55,9 @@ operatorConfig:
podAnnotations: {} podAnnotations: {}
podLabels: {} podLabels: {}
serviceAccountAnnotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/tailscale-operator-role
tolerations: [] tolerations: []
affinity: {} affinity: {}