mirror of
https://github.com/auricom/home-cluster.git
synced 2025-10-01 07:55:06 +02:00
feat: migrate secrets to kubernetes-reflector
This commit is contained in:
auricom
@@ -5,5 +5,4 @@ resources:
|
||||
- certificate
|
||||
- ingress-nginx
|
||||
- k8s-gateway
|
||||
- secret-reflector
|
||||
- unifi
|
||||
|
||||
@@ -1,48 +0,0 @@
|
||||
---
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: secret-reflector
|
||||
namespace: networking
|
||||
spec:
|
||||
schedule: "0 0 */2 * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: sa-secret-reflector
|
||||
containers:
|
||||
- name: secret-reflector
|
||||
image: bitnami/kubectl:1.21.1
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-ec"
|
||||
- |
|
||||
set -o nounset
|
||||
set -o errexit
|
||||
# space delimited secrets to copy
|
||||
SECRETS=$(kubectl get secrets -n networking | grep -i tls | awk '{print $1}')
|
||||
# source namespace to reflect secret from
|
||||
NAMESPACE_SOURCE="networking"
|
||||
# space delimited namespace where to reflect the secrets to
|
||||
NAMESPACE_DEST="kasten-io"
|
||||
for secret in ${SECRETS}; do
|
||||
secret_source_content="$(kubectl get secret "${secret}" -n "${NAMESPACE_SOURCE}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')"
|
||||
secret_source_checksum="$(echo "${secret_source_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')"
|
||||
for namespace in ${NAMESPACE_DEST}; do
|
||||
if kubectl get secret "${secret}" -n "${namespace}" >/dev/null 2>&1; then
|
||||
secret_dest_content="$(kubectl get secret "${secret}" -n "${namespace}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')"
|
||||
secret_dest_checksum="$(echo "${secret_dest_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')"
|
||||
if [ "${secret_source_checksum}" != "${secret_dest_checksum}" ]; then
|
||||
echo "${secret_source_content}" | \
|
||||
jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \
|
||||
kubectl replace -n "${namespace}" -f -
|
||||
fi
|
||||
else
|
||||
echo "${secret_source_content}" | \
|
||||
jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \
|
||||
kubectl apply -n "${namespace}" -f -
|
||||
fi
|
||||
done
|
||||
done
|
||||
restartPolicy: OnFailure
|
||||
@@ -1,5 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- cronjob.yaml
|
||||
- rbac.yaml
|
||||
@@ -1,40 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: sa-secret-reflector
|
||||
namespace: networking
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: secret-reflector
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps", "secrets"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces"]
|
||||
verbs: ["watch", "list"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["watch", "list"]
|
||||
- apiGroups: ["certmanager.k8s.io"]
|
||||
resources: ["certificates", "certificates/finalizers"]
|
||||
verbs: ["watch", "list"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/finalizers"]
|
||||
verbs: ["watch", "list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: secret-reflector
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: secret-reflector
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: sa-secret-reflector
|
||||
namespace: networking
|
||||
Reference in New Issue
Block a user