mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 15:09:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

e2e: do not create a single-item list

Browse Source 
The deployment of the Vault ConfigMap for the init-scripts job contains
a List with a single Item. This can be cleaned up to just be a ConfigMap
(without the list structure around it).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-06-30 13:54:15 +02:00 committed by mergify[bot]
parent 75f385e881
commit 8ce5ae16c1
1 changed files with 39 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
examples/kms/vault/vault.yaml
View File

@ -60,60 +60,54 @@ spec:
name: vault-api name: vault-api
--- ---
apiVersion: v1 apiVersion: v1
items: kind: ConfigMap
- apiVersion: v1 metadata:
data: name: init-scripts
init-vault.sh: | data:
set -x -e init-vault.sh: |
set -x -e
timeout 300 sh -c 'until vault status; do sleep 5; done' timeout 300 sh -c 'until vault status; do sleep 5; done'
# login into vault to retrieve token # login into vault to retrieve token
vault login ${VAULT_DEV_ROOT_TOKEN_ID} vault login ${VAULT_DEV_ROOT_TOKEN_ID}
# enable kubernetes auth method under specific path: # enable kubernetes auth method under specific path:
vault auth enable -path="/${CLUSTER_IDENTIFIER}" kubernetes vault auth enable -path="/${CLUSTER_IDENTIFIER}" kubernetes
# write configuration to use your cluster # write configuration to use your cluster
vault write auth/${CLUSTER_IDENTIFIER}/config \ vault write auth/${CLUSTER_IDENTIFIER}/config \
token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \ token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
kubernetes_host="${K8S_HOST}" \ kubernetes_host="${K8S_HOST}" \
kubernetes_ca_cert=@${SERVICE_ACCOUNT_TOKEN_PATH}/ca.crt kubernetes_ca_cert=@${SERVICE_ACCOUNT_TOKEN_PATH}/ca.crt
# create policy to use keys related to the cluster # create policy to use keys related to the cluster
vault policy write "${CLUSTER_IDENTIFIER}" - << EOS vault policy write "${CLUSTER_IDENTIFIER}" - << EOS
path "secret/data/ceph-csi/*" { path "secret/data/ceph-csi/*" {
capabilities = ["create", "update", "delete", "read", "list"] capabilities = ["create", "update", "delete", "read", "list"]
} }
path "secret/metadata/ceph-csi/*" { path "secret/metadata/ceph-csi/*" {
capabilities = ["read", "delete", "list"] capabilities = ["read", "delete", "list"]
} }
path "sys/mounts" { path "sys/mounts" {
capabilities = ["read"] capabilities = ["read"]
} }
EOS EOS
# create a role # create a role
vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \ vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \
bound_service_account_names="${SERVICE_ACCOUNTS}" \ bound_service_account_names="${SERVICE_ACCOUNTS}" \
bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \ bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \
policies="${CLUSTER_IDENTIFIER}" policies="${CLUSTER_IDENTIFIER}"
# disable iss validation
# from: external-secrets/kubernetes-external-secrets#721
vault write auth/${CLUSTER_IDENTIFIER}/config \
token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
kubernetes_host="${K8S_HOST}" \
disable_iss_validation=true
kind: ConfigMap
metadata:
creationTimestamp: null
name: init-scripts
kind: List
metadata: {}
# disable iss validation
# from: external-secrets/kubernetes-external-secrets#721
vault write auth/${CLUSTER_IDENTIFIER}/config \
token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
kubernetes_host="${K8S_HOST}" \
disable_iss_validation=true
--- ---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job