Skip to content

Commit f4e6b2f

Browse files
philipgoughphilipgough
authored
krp: Generate secret for service serving certs (#769)
1 parent c9e7153 commit f4e6b2f

File tree

2 files changed

+42
-11
lines changed

2 files changed

+42
-11
lines changed

magefiles/operator.go

+29-9
Original file line numberDiff line numberDiff line change
@@ -706,13 +706,14 @@ func operatorResources(namespace string, m TemplateMaps) []runtime.Object {
706706
Name: "thanos-operator-controller-manager-metrics-service",
707707
Namespace: namespace,
708708
Labels: map[string]string{
709-
"app.kubernetes.io/component": "kube-rbac-proxy",
710-
"app.kubernetes.io/created-by": "thanos-operator",
711-
"app.kubernetes.io/instance": "controller-manager-metrics-service",
712-
"app.kubernetes.io/managed-by": "rhobs",
713-
"app.kubernetes.io/name": "service",
714-
"app.kubernetes.io/part-of": "thanos-operator",
715-
"control-plane": "controller-manager",
709+
"app.kubernetes.io/component": "kube-rbac-proxy",
710+
"app.kubernetes.io/created-by": "thanos-operator",
711+
"app.kubernetes.io/instance": "controller-manager-metrics-service",
712+
"app.kubernetes.io/managed-by": "rhobs",
713+
"app.kubernetes.io/name": "service",
714+
"app.kubernetes.io/part-of": "thanos-operator",
715+
"control-plane": "controller-manager",
716+
"service.beta.openshift.io/serving-cert-secret-name": "kube-rbac-proxy-tls",
716717
},
717718
},
718719
Spec: corev1.ServiceSpec{
@@ -854,8 +855,9 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
854855
Args: []string{
855856
"--secure-listen-address=0.0.0.0:8443",
856857
"--upstream=http://127.0.0.1:8080/",
857-
"--logtostderr=true",
858-
"--v=0",
858+
"--v=4",
859+
"--tls-cert-file=/etc/tls/private/tls.crt",
860+
"--tls-private-key-file=/etc/tls/private/tls.key",
859861
},
860862
Ports: []corev1.ContainerPort{
861863
{
@@ -919,6 +921,24 @@ func operatorDeployment(namespace string, m TemplateMaps) *appsv1.Deployment {
919921
Drop: []corev1.Capability{"ALL"},
920922
},
921923
},
924+
VolumeMounts: []corev1.VolumeMount{
925+
{
926+
Name: "kube-rbac-proxy-tls",
927+
MountPath: "/etc/tls/private",
928+
ReadOnly: true,
929+
},
930+
},
931+
},
932+
},
933+
Volumes: []corev1.Volume{
934+
{
935+
Name: "kube-rbac-proxy-tls",
936+
VolumeSource: corev1.VolumeSource{
937+
Secret: &corev1.SecretVolumeSource{
938+
SecretName: "kube-rbac-proxy-tls",
939+
Optional: ptr.To(false),
940+
},
941+
},
922942
},
923943
},
924944
ServiceAccountName: "thanos-operator-controller-manager",

resources/services/bundle/staging/operator.yaml

+13-2
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ objects:
1616
app.kubernetes.io/name: service
1717
app.kubernetes.io/part-of: thanos-operator
1818
control-plane: controller-manager
19+
service.beta.openshift.io/serving-cert-secret-name: kube-rbac-proxy-tls
1920
name: thanos-operator-controller-manager-metrics-service
2021
namespace: rhobs-stage
2122
spec:
@@ -65,8 +66,9 @@ objects:
6566
- args:
6667
- --secure-listen-address=0.0.0.0:8443
6768
- --upstream=http://127.0.0.1:8080/
68-
- --logtostderr=true
69-
- --v=0
69+
- --v=4
70+
- --tls-cert-file=/etc/tls/private/tls.crt
71+
- --tls-private-key-file=/etc/tls/private/tls.key
7072
image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:98455d503b797b6b02edcfd37045c8fab0796b95ee5cf4cfe73b221a07e805f0
7173
imagePullPolicy: IfNotPresent
7274
name: kube-rbac-proxy
@@ -129,10 +131,19 @@ objects:
129131
capabilities:
130132
drop:
131133
- ALL
134+
volumeMounts:
135+
- mountPath: /etc/tls/private
136+
name: kube-rbac-proxy-tls
137+
readOnly: true
132138
securityContext:
133139
runAsNonRoot: true
134140
serviceAccountName: thanos-operator-controller-manager
135141
terminationGracePeriodSeconds: 10
142+
volumes:
143+
- name: kube-rbac-proxy-tls
144+
secret:
145+
optional: false
146+
secretName: kube-rbac-proxy-tls
136147
status: {}
137148
- apiVersion: v1
138149
kind: ServiceAccount

0 commit comments

Comments
 (0)