02-sample-apiserver-certs.yaml

# This manifest deploys certificates for the sample-apiserver and the proxied etcd,
# and RBAC roles for the EtcdProxy Controller to manage the certificates in the API server namespace.
#
# The CA certificate for the proxied etcd is stored in the 'etcd-serving-ca' ConfigMap,
# and the client certificate and key are stored in the 'etcd-client-cert' Secret.
#
# The etcd certificates are managed by the EtcdProxy Controller, so this manifests
# creates RBAC roles allowing the EtcdProxy Controller ServiceAccount to get, update and patch
# ConfigMap and Secret containing the etcd certificates.
---
# ConfigMap used to store the CA certificate for verifying the etcd proxy serving certifiacte.
apiVersion: v1
kind: ConfigMap
metadata:
  name: etcd-serving-ca
  namespace: k8s-sample-apiserver
data:
---
# Secret for storing the client certificate and key used to access the proxied etcd.
apiVersion: v1
kind: Secret
metadata:
  name: etcd-client-cert
  namespace: k8s-sample-apiserver
type: kubernetes.io/tls
data:
  tls.crt: ""
  tls.key: ""
---
# Role to allow getting and updating the Secret and ConfigMap.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: etcdproxy-manage-certs
  namespace: k8s-sample-apiserver
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "update", "patch"]
  resourceNames: ["etcd-client-cert"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "update", "patch"]
  resourceNames: ["etcd-serving-ca"]
---
# Bind the etcdproxy-manage-certs to the EtcdProxy Controller ServiceAccount.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: etcdproxy-manage-certs-rb
  namespace: k8s-sample-apiserver
subjects:
- kind: ServiceAccount
  name: etcdproxy-controller-sa
  namespace: kube-apiserver-storage
roleRef:
  kind: Role
  name: etcdproxy-manage-certs
  apiGroup: rbac.authorization.k8s.io