129 lines
3.1 KiB
YAML
129 lines
3.1 KiB
YAML
{{- if and (.Values.gitlab_runner.enabled) (.Values.gitlab_runner.createCertSecret) }}
|
|
# Pod to update certificates from master nodes
|
|
# only runs on control plane nodes (etcd)
|
|
# Mounts cert files rotatet by nixos service.mgr and uses it to update gitlab secret
|
|
# Always create certs on initial creation,
|
|
# Otherwise, cert creation would not happen until cronJob runs
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: cert-create
|
|
namespace: gitlab
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
block-egress: "true"
|
|
annotations:
|
|
linkerd.io/inject: disabled
|
|
spec:
|
|
restartPolicy: Never
|
|
serviceAccountName: cert-secret-updater
|
|
securityContext:
|
|
runAsUser: 12000
|
|
runAsGroup: 13000
|
|
fsGroup: 10000
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: node-role.kubernetes.io
|
|
operator: In
|
|
values:
|
|
- control-plane
|
|
tolerations:
|
|
- key: unschedulable
|
|
value: "true"
|
|
effect: NoSchedule
|
|
containers:
|
|
- image: bitnami/kubectl:1.24
|
|
name: kubectl
|
|
resources: {}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
command:
|
|
- "/bin/sh"
|
|
- -c
|
|
- /tmp/renew-certs/renew-certs.sh
|
|
volumeMounts:
|
|
- name: ca-pem
|
|
mountPath: /tmp/ca.pem
|
|
- name: ca-key-pem
|
|
mountPath: /tmp/ca-key.pem
|
|
- name: certs-script
|
|
mountPath: /tmp/renew-certs
|
|
volumes:
|
|
- name: ca-pem
|
|
hostPath:
|
|
path: {{.Values.cluster_config.initca}}/ca.pem
|
|
type: File
|
|
- name: ca-key-pem
|
|
hostPath:
|
|
path: {{.Values.cluster_config.initca}}/ca-key.pem
|
|
type: File
|
|
- name: certs-script
|
|
configMap:
|
|
name: renew-certs-script
|
|
defaultMode: 0755
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
renew-certs.sh: |
|
|
#! /bin/bash
|
|
kubectl create secret tls -n gitlab itp-cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
|
|
kubectl apply -f /tmp/new-secret.yaml
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: renew-certs-script
|
|
namespace: gitlab
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: cert-secret-updater
|
|
namespace: gitlab
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: cert-secret-updater-role
|
|
namespace: gitlab
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resourceNames:
|
|
- itp-cluster-ca
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- '*'
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: cert-secret-updater-rbinding
|
|
namespace: gitlab
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: cert-secret-updater-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: cert-secret-updater
|
|
namespace: gitlab
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-egress
|
|
namespace: gitlab
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
block-egress: "true"
|
|
policyTypes:
|
|
- Egress
|
|
---
|
|
{{- end }}
|