Update helm charts for the refactored TLS solution.

Ref #36

Update helm charts for the refactored TLS solution.
Ref #36
4b3ef9f6 · Geoff Simmons · 0ed73905 · 4b3ef9f6 · 4b3ef9f6 · 4b3ef9f6
Commit 4b3ef9f6 authored Aug 03, 2020 by Geoff Simmons
6 changed files
--- a/charts/viking-controller/templates/clusterrole.yaml
+++ b/charts/viking-controller/templates/clusterrole.yaml
@@ -25,17 +25,6 @@ rules:
      - get
      - list
      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - tls-cert
-    verbs:
-      - get
-      - list
-      - watch
-      - update
  - apiGroups:
      - ""
    resources:

--- a/charts/viking-service/templates/_helpers.tpl
+++ b/charts/viking-service/templates/_helpers.tpl
@@ -20,14 +20,6 @@ Create a admin secret name
 {{- printf "%s-admin" (include "viking-service.name" . | trunc 55) -}}
 {{- end -}}
-{{/*
-Create a TLS secret name
-*/}}
-{{- define "viking-service.tls-secret-name" -}}
-{{/*{{- printf "%s-tls-crt" (include "viking-service.name" . | trunc 55) -}}*/}}
-{{- printf "tls-cert" -}}
-{{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

--- a/charts/viking-service/templates/admin-service.yaml
+++ b/charts/viking-service/templates/admin-service.yaml
@@ -24,7 +24,7 @@ spec:
      port: 5555
      targetPort: 5555
      protocol: TCP
-    - name: faccess
+    - name: crt-dnldr
      port: 5556
      targetPort: 5556
      protocol: TCP

--- a/charts/viking-service/templates/tls-cert-secret.yaml
+++ b/charts/viking-service/templates/tls-cert-secret.yaml
-apiVersion: v1
+kind: ClusterRole
-kind: Secret
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "viking-service.tls-secret-name" . }}
  labels:
    app.kubernetes.io/name: {{ template "viking-service.name" . }}
    helm.sh/chart: {{ template "viking-service.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
-    viking.uplex.de/secret: pem
+  name: {{ template "viking-service.fullname" . }}
-type: Opaque
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
--- a/charts/viking-service/templates/clusterrolebinding.yaml
+++ b/charts/viking-service/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ template "viking-service.name" . }}
+    helm.sh/chart: {{ template "viking-service.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  name: {{ template "viking-service.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "viking-service.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "viking-service.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
--- a/charts/viking-service/templates/deployment.yaml
+++ b/charts/viking-service/templates/deployment.yaml
@@ -168,7 +168,6 @@ spec:
          volumeMounts:
            - name: tls-cert
              mountPath: "/etc/ssl/private"
-              readOnly: true
            - name: run-offload
              mountPath: "/run/offload"
            - name: run-haproxy
@@ -202,9 +201,8 @@ spec:
              - key: admin
                path: _.secret
        - name: tls-cert
-          secret:
+          emptyDir:
-            secretName: {{ template "viking-service.tls-secret-name" . }}
+            medium: "Memory"
-            defaultMode: 0440
        - name: run-varnish-home
          emptyDir:
            medium: "Memory"