mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-04 23:45:34 +00:00
cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account (#14264)
cmd/k8s-operator/deploy/chart: allow reading OAuth creds from a CSI driver's volume and annotating operator's Service account Updates #14264 Signed-off-by: Oliver Rahner <o.rahner@dke-data.com>
This commit is contained in:
parent
efdfd54797
commit
cbf1a4efe9
@ -35,9 +35,13 @@ spec:
|
|||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: oauth
|
- name: oauth
|
||||||
secret:
|
{{- with .Values.oauthSecretVolume }}
|
||||||
secretName: operator-oauth
|
{{- toYaml . | nindent 10 }}
|
||||||
|
{{- else }}
|
||||||
|
secret:
|
||||||
|
secretName: operator-oauth
|
||||||
|
{{- end }}
|
||||||
containers:
|
containers:
|
||||||
- name: operator
|
- name: operator
|
||||||
{{- with .Values.operatorConfig.securityContext }}
|
{{- with .Values.operatorConfig.securityContext }}
|
||||||
|
@ -6,6 +6,10 @@ kind: ServiceAccount
|
|||||||
metadata:
|
metadata:
|
||||||
name: operator
|
name: operator
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- with .Values.operatorConfig.serviceAccountAnnotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
|
@ -3,11 +3,26 @@
|
|||||||
|
|
||||||
# Operator oauth credentials. If set a Kubernetes Secret with the provided
|
# Operator oauth credentials. If set a Kubernetes Secret with the provided
|
||||||
# values will be created in the operator namespace. If unset a Secret named
|
# values will be created in the operator namespace. If unset a Secret named
|
||||||
# operator-oauth must be precreated.
|
# operator-oauth must be precreated or oauthSecretVolume needs to be adjusted.
|
||||||
|
# This block will be overridden by oauthSecretVolume, if set.
|
||||||
oauth: {}
|
oauth: {}
|
||||||
# clientId: ""
|
# clientId: ""
|
||||||
# clientSecret: ""
|
# clientSecret: ""
|
||||||
|
|
||||||
|
# Secret volume.
|
||||||
|
# If set it defines the volume the oauth secrets will be mounted from.
|
||||||
|
# The volume needs to contain two files named `client_id` and `client_secret`.
|
||||||
|
# If unset the volume will reference the Secret named operator-oauth.
|
||||||
|
# This block will override the oauth block.
|
||||||
|
oauthSecretVolume: {}
|
||||||
|
# csi:
|
||||||
|
# driver: secrets-store.csi.k8s.io
|
||||||
|
# readOnly: true
|
||||||
|
# volumeAttributes:
|
||||||
|
# secretProviderClass: tailscale-oauth
|
||||||
|
#
|
||||||
|
## NAME is pre-defined!
|
||||||
|
|
||||||
# installCRDs determines whether tailscale.com CRDs should be installed as part
|
# installCRDs determines whether tailscale.com CRDs should be installed as part
|
||||||
# of chart installation. We do not use Helm's CRD installation mechanism as that
|
# of chart installation. We do not use Helm's CRD installation mechanism as that
|
||||||
# does not allow for upgrading CRDs.
|
# does not allow for upgrading CRDs.
|
||||||
@ -40,6 +55,9 @@ operatorConfig:
|
|||||||
podAnnotations: {}
|
podAnnotations: {}
|
||||||
podLabels: {}
|
podLabels: {}
|
||||||
|
|
||||||
|
serviceAccountAnnotations: {}
|
||||||
|
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/tailscale-operator-role
|
||||||
|
|
||||||
tolerations: []
|
tolerations: []
|
||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
Loading…
Reference in New Issue
Block a user