e2e: do not create a single-item list

The deployment of the Vault ConfigMap for the init-scripts job contains a List with a single Item. This can be cleaned up to just be a ConfigMap (without the list structure around it). Signed-off-by: Niels de Vos <ndevos@redhat.com>
2024-11-09 16:00:22 +00:00 · 2021-06-30 13:54:15 +02:00 · 2021-06-30 13:54:15 +02:00 · 8ce5ae16c1
commit 8ce5ae16c1
parent 75f385e881
1 changed files with 39 additions and 45 deletions
--- a/examples/kms/vault/vault.yaml
+++ b/examples/kms/vault/vault.yaml
@ -60,60 +60,54 @@ spec:
              name: vault-api
 ---
 apiVersion: v1
-items:
-  - apiVersion: v1
-    data:
-      init-vault.sh: |
-        set -x -e
+kind: ConfigMap
+metadata:
+  name: init-scripts
+data:
+  init-vault.sh: |
+    set -x -e

-        timeout 300 sh -c 'until vault status; do sleep 5; done'
+    timeout 300 sh -c 'until vault status; do sleep 5; done'

-        # login into vault to retrieve token
-        vault login ${VAULT_DEV_ROOT_TOKEN_ID}
+    # login into vault to retrieve token
+    vault login ${VAULT_DEV_ROOT_TOKEN_ID}

-        # enable kubernetes auth method under specific path:
-        vault auth enable -path="/${CLUSTER_IDENTIFIER}" kubernetes
+    # enable kubernetes auth method under specific path:
+    vault auth enable -path="/${CLUSTER_IDENTIFIER}" kubernetes

-        # write configuration to use your cluster
-        vault write auth/${CLUSTER_IDENTIFIER}/config \
-          token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
-          kubernetes_host="${K8S_HOST}" \
-          kubernetes_ca_cert=@${SERVICE_ACCOUNT_TOKEN_PATH}/ca.crt
+    # write configuration to use your cluster
+    vault write auth/${CLUSTER_IDENTIFIER}/config \
+      token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
+      kubernetes_host="${K8S_HOST}" \
+      kubernetes_ca_cert=@${SERVICE_ACCOUNT_TOKEN_PATH}/ca.crt

-        # create policy to use keys related to the cluster
-        vault policy write "${CLUSTER_IDENTIFIER}" - << EOS
-        path "secret/data/ceph-csi/*" {
-          capabilities = ["create", "update", "delete", "read", "list"]
-        }
+    # create policy to use keys related to the cluster
+    vault policy write "${CLUSTER_IDENTIFIER}" - << EOS
+    path "secret/data/ceph-csi/*" {
+      capabilities = ["create", "update", "delete", "read", "list"]
+    }

-        path "secret/metadata/ceph-csi/*" {
-          capabilities = ["read", "delete", "list"]
-        }
+    path "secret/metadata/ceph-csi/*" {
+      capabilities = ["read", "delete", "list"]
+    }

-        path "sys/mounts" {
-          capabilities = ["read"]
-        }
-        EOS
+    path "sys/mounts" {
+      capabilities = ["read"]
+    }
+    EOS

-        # create a role
-        vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \
-            bound_service_account_names="${SERVICE_ACCOUNTS}" \
-            bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \
-            policies="${CLUSTER_IDENTIFIER}"
-
-        # disable iss validation
-        # from: external-secrets/kubernetes-external-secrets#721
-        vault write auth/${CLUSTER_IDENTIFIER}/config \
-          token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
-          kubernetes_host="${K8S_HOST}" \
-          disable_iss_validation=true
-    kind: ConfigMap
-    metadata:
-      creationTimestamp: null
-      name: init-scripts
-kind: List
-metadata: {}
+    # create a role
+    vault write "auth/${CLUSTER_IDENTIFIER}/role/${PLUGIN_ROLE}" \
+        bound_service_account_names="${SERVICE_ACCOUNTS}" \
+        bound_service_account_namespaces="${SERVICE_ACCOUNTS_NAMESPACE}" \
+        policies="${CLUSTER_IDENTIFIER}"

+    # disable iss validation
+    # from: external-secrets/kubernetes-external-secrets#721
+    vault write auth/${CLUSTER_IDENTIFIER}/config \
+      token_reviewer_jwt=@${SERVICE_ACCOUNT_TOKEN_PATH}/token \
+      kubernetes_host="${K8S_HOST}" \
+      disable_iss_validation=true
 ---
 apiVersion: batch/v1
 kind: Job