Removed secret-read permissions from pod
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
appVersion: "1.0"
|
||||
description: A Helm chart for Kubernetes
|
||||
appVersion: "2024.11.02.05"
|
||||
description: A FreeDNS webhook dns01 solver for cert-manager
|
||||
name: freedns-webhook
|
||||
version: 0.1.0
|
||||
version: 0.1.1
|
||||
|
||||
@@ -29,6 +29,9 @@ spec:
|
||||
- --v=2
|
||||
- --tls-cert-file=/tls/tls.crt
|
||||
- --tls-private-key-file=/tls/tls.key
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: {{ include "freedns-webhook.fullname" . }}-auth
|
||||
env:
|
||||
- name: GROUP_NAME
|
||||
value: {{ .Values.groupName | quote }}
|
||||
|
||||
@@ -8,45 +8,6 @@ metadata:
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "freedns-webhook.name" . }}
|
||||
chart: {{ include "freedns-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- 'secrets'
|
||||
verbs:
|
||||
- 'get'
|
||||
---
|
||||
# Grant the webhook permission to read the secret
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "freedns-webhook.name" . }}
|
||||
chart: {{ include "freedns-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "freedns-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
||||
# apiserver's requestheader-ca-certificate.
|
||||
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
data:
|
||||
FREEDNS_USERNAME: {{ required "Please provide the value of freedns.auth.FREEDNS_USERNAME" .Values.freedns.auth.FREEDNS_USERNAME | b64enc | quote }}
|
||||
FREEDNS_PASSWORD: {{ required "Please provide the value of freedns.auth.FREEDNS_PASSWORD" .Values.freedns.auth.FREEDNS_PASSWORD | b64enc | quote }}
|
||||
metadata:
|
||||
name: {{ include "freedns-webhook.fullname" . }}-auth
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "freedns-webhook.name" . }}
|
||||
chart: {{ include "freedns-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
type: Opaque
|
||||
@@ -14,7 +14,7 @@ certManager:
|
||||
|
||||
image:
|
||||
repository: penguinade/cert-manager-webhook-freedns
|
||||
tag: 2024.11.02.04
|
||||
tag: 2024.11.02.05
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
nameOverride: ""
|
||||
@@ -24,6 +24,11 @@ service:
|
||||
type: ClusterIP
|
||||
port: 443
|
||||
|
||||
freedns:
|
||||
auth:
|
||||
FREEDNS_USERNAME:
|
||||
FREEDNS_PASSWORD:
|
||||
|
||||
resources: {}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
|
||||
Reference in New Issue
Block a user