diff --git a/kube-test/apps/cert-manager/self-signed/sealed-ss-secret.yml b/kube-test/apps/cert-manager/self-signed/sealed-ss-secret.yml new file mode 100644 index 00000000..b9112d6f --- /dev/null +++ b/kube-test/apps/cert-manager/self-signed/sealed-ss-secret.yml @@ -0,0 +1,17 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: ss-secret + namespace: cert-manager +spec: + encryptedData: + tls.crt: AgAGfV2A88oJ9UsL5+PZdV0toZeCpSIsMekXbtiZes50oMAFGj+elZjLWHmqO7XcrFocAcrCetHQtWHWcAPQlNUuWUH9DAjF6OcacXir5GadBvhLs12YEDzEuk1hjaqPZ3RtfLpuysy91x7EUw7KOdNayCGgeVEw10wpC0WxNqYRbq+xKAEl3x8HXB0EPlPOn37+aFUlcA46yLYeTDf2aE2vuHiHSWDVQTV8N3FlmmPYj+/7uxURTUg1L23cYpYp3MjjPj5dN2OyeNyW7P5kg0dePyep8X7RXbtoh0fGgpJNngyTiOxi5korsR6d1uE8ttB6MHSHG5m0CoGMlfLsIk+gN943kM4OBXZT+AKa4bkYgwXl6CgnFs/t85QGg0EI/jfPQGBltNeDutfgL2tcghtu69fRI91aYa0769+bsUhG2VKWLGlDzEEdNiwg1xtUSfG06YEyBp30/e5ehDxrOnS71YM7emGMNny8nThdi+A19eA9BW/kWfM5/0SIVH4gZy/4UDCLWcDjcJg7esd/OzWeii8RXQECzXQEE8kZTcnC3snT86MghD9Wu0xKlUxTqBGP9tr4EJi05RtNi26g6I2p5o4spi08e7Jn0KWoenDIa5qkrHThBQfauas6NxHnZq2v5IuW7jpO3uxReXAeu2uYaJnyQDNlfiOsAguKVz17kmzHr2un7NYdlosW2N83jbDWcjEEbr1AHm1Qakzh/+GuYCvbcJCaDner9AbRaTHpX+93JeRvOmTixMfSyDmy+ag2Haq2pGJIjINS9jI41CybNs7SgQlS/hkdsrNVT8bRG8aGTw92jyBQ06a7CM8tViF+Qj8qEuJeepBs7RxXKqN4XZWOfLUAEgoVZNYsSlvyA+/uyuCBGSQ5JEfM7bwIqYMAlVgkX1kgQQzSS4RHmDFvIDnA5P2wenBvEpchx/gc2valG0BxjMrBXZAdG9wb/Toywdle+ijzQUpGy74qdPC85rjsOkkVX1+/KfKZEpjtVOaO0wGE4ZfmRxeU3dXC4L9ZQ79DcySFe+IdipDZ5rRZCsU39iATrwDvn/BlOZ0yQZx0VUSl4jiFsEux5oca6rSjyY19C9xZMwGR1Q9eUXojk/vFDVLl0FTPP073R35ng4NoyrQlcZW2eBwYjTUZ3G/fPTkQNeR9NzVu8eJLb8UnoPTfLfijEG8AuaiN2yz+NgnD7aMAx0XCWX+3NCjIKvLbwTVCUEf6FWHt9WhLVrXYE6WRGSgg9CRAH+WYycFA/e4k7M0K9iQAlAe1zBiXQUu6eZcjltR57cjmO0VarubNvWenuLNBjRQhJwgq32uamcIa2QkvnNsMXLcU5fgFuW+ava4jtm5BYBgTEyjjAFP9FYxaUMEHAe611Ljrsstt+Mp7WxjyADTdOAMvQZBRk/jE1pS6vw+c6jc46DNuOoUk970Q1CwItZX6a+/sPNs3kwo89dRf2XOXVZXWdkX4wus+frrUzC2lUTRNHtHRxjlnAbAbLQMDMkwPYWKmwcpm2PxN0TITh6Q0FYLiR90dM6DZZOIDB9l0Ln6q9nrNEcq6LTixooMSxRm++haXBOT91IIjCjQg+M+rfW54mVccqaREVPfpElMdXNFREsto465bMnTdpIQwnEpThST6Pjzxo20cCOpScRQzf8olUM4xA4kUkJpclpJdr39TK4256TJ+RzRJ95g+DSWyxIl+6h7mdUXWcDK/3avNFLIMIHxH5l6SJGLni1fB/ocMFFl+pP5bxQ9s+WJptZ6BrC8bKWRC0aT1Gfh9O0vdx5fU653Rs+Rl0/wq1QzoV+tNZjZzVJdhNE1FbS8opsoUnfCv0bIsmWYdyrasntuNRg93NVqwxgV11JEiE8OWpVOWzF5ps7d7pMY9wRGjcvZ2McasZpMYvUBpbYpSW6HQ4/nOilY7c8IlAk4jIlPHs+VgNlSm2e2fIKcsiY1iLKzWn2e7bEgucDNn7/xLC7httSqC8hRRxgrOIGsh4GMba2Pd5v0SQLdYMuN1iq3czJ0hXqmDvfOY7yTVuv9Df8xGXsh+21CqNwBQtJNTLkPE+LdenrkRd/87g90nEADGaFj4sxSot1fawdbvQeU1BcXOe0URrRk0QuL9HczQ66/yOOduzgCsbR59IGb8+LdZ1TVWoSEeybnr5YrGBM+GX8VM0wk+rBP1WbF1UPXg/v2VuEa9OjlfKmRl47HFTTkfXDEd2Kwu44zNeWPv4u2PsodzfJ4PbirIhXwmau2+EWAtE+QaztDaSToKPEqe333+QdPHfRGrGPmLqc6b3baB+J+vd89D0YROsxH3IKVCzTOexOzZMJaHf4tlUV07aB09hfPyOhL4/w4bfLmjZpkARDAFl88G6xneEMkL9PfQYVNlC5IWgvhAVxsuCpWK09SHYTc3p9h3JPxzzTf9PN1sRYGO3hPvHRDh28kw6lqkx1uKOWkm7WV6XLQ8qic0hP5o5RjAA6ypvj4mahduvHa+tA4UrlYK/UHoeKXZn6dVBfjUGD53vRr2u2syyMrhho9OGCDj1GoQHOzipWho2aNY/CNKGuiJau9UqrPym4sELA2c92TwAjGKXiJIrBsdcXjURzE/cfjkdLIUdDgwOwd/Qb7tu0VLNdW4QrhPrmLcT7wKpNBk9hu/+QNzKRIZOxOhja2ygD7EJxgKTlG839Mh3j6ghXLLGPXjhu1nnZkZMAF0+6Rn8YTo9NwKYAgyqRK2FMEuqEQH5lbdWloFlZPhtjHe7mv9lNrH/91EJA/lpaEMNwRoawyM+lW9QQO1ke97+wN1gDSCo9cWmjGpIE0q3s979JBEThnMn1Z4C8CLx1I8/U1KdKoPkhg31q1lx4LyaNM6IDDTT3a5UM73eCDMYtJ4aaxUGVt9fqJ1EzpChmRDw4qT5GLAn0dV5cf0ayNk6GQUelO2jHq7KH8QUuPA1sERzgpsMFHqMfoFAsHQXvASvzsBLGxtMCSfpCNysJHCMeDSlFmzy6HiHXZFof0F+1oGcdeiwR8/OsGtzN4t0MqllIDbWpJOKTGC2fb65sK7yMV52nHpGm9Oi16Z9kRmlOj+OLVtGSmgsXp2R0vBhdURVXQFGhnFQcSO494c9qhtmIqAzZQUp1hCuRLLBvhx2q+Qg7CHe1/YZetzyVDLZRUqYQZ/b5S98mDTRJVVQohd3hrbuEanFUFGwOhGB8L2GL0vioZ7rdMGFjplIxtdn9N487vS7IrjBvmMIXVckstyynshQylHTLkV18ewugo4+OU/oZnCcdAKJ3yfwSm6HZ78xlw51UU5ZoooSTJuFszelPHY5+Tep5u3kSsEpyAnwh+sEp4kB7URu274iENBNtv+FwYk5gGab+501J9Tbi6E9R4ccYgo/zwMtmmdtEehhiP82imfTl+HN8bWQEpkjhmwbIlWLvnf6Ly8N0NjKlZaS3ZYUrV7Kg== + tls.key: AgAC28bFxLty2JNeXBzP01/ohaAbQMfixeO/F7I9OXP6DqsOTqYBM/n5oo/VlGH7RvK/tp5co5uJWj3h6QF+AfJhXDGxNZZ63Bb9Qds9IVQgFGQ7O5xKHWCNklHUInAPzUGcGQ6drPURIHRRNM2MmBJY+NzaxkBZ3lmXPaykb3o96wFJ8NWMAnBPhMNjjGMTNKyzNegqk3HJyyp7CrX/PfE6QACL6XsSg2HWt0KCmLMfj3imPZKcXWPjeinfthWJvLfgO6kttEFTqJk8CqNjYz5JYj2ibYu2JU57mA/HCpV617ITGhyVSfbjDs55uK6nHpGv+DUT7vsLw96qy2Y2gwJ4cr1/9aLiiE7Icf4zekze/uqcTwgoo65350jQAoNHsQDJjpMWaSIe4URTXwBERcv/ThdyfT/J1k9ULuC2zo/ztlMHpgIbSxhuUTrGxuDwqdJU4+wqknhfBuX1KwmEjuNruqUS3/cCoMk8xvlkNrFgluBUHE2JJnmkOhTcZ+aGVQ2Wm1lHXKMN5waR9Rp8LftDqUGK2oPLwSM3Ep+XCF4zP1FVLG7WP5cCQEXiTn+uDoZWW1e438SBWfgRCONQDvSA2DmBhfbHjh3YBO/twPBiXVXEWWt0KAhyJlzIKxCdofqMAYpqFG3pKu/aWzTxVpGdd1vY3rQLwPQr/V2psFq0Loq5Nzp18W3tTtOs+uHQeY41V5zAbO7joCXlaUb9OlZzD0y6m4AABjO1Ov9IxdpH+EiEM4DGHg6gjKKIiIJT0zA4lq2NbSW4H+DbJdSL0pxJZf5h8AoQOb53h1C1hJ9CHmsgWvWDUlMwqSXKj6WLWeD/pYilodCoJOUG7++llsoqihZ50t/EGXQDI/ZeFOy9zSzJpzd6CM/qLLEAX1SDbp5NT9v9PL9M4KzWSjhbQc+nGQ6xSKBihgjis/qBlVVQbWeZ2hI8nf9lJSgv1Eix0f8RejVDktq+3vjeHbxSA6twiN1QyG27Dk/s5r/AG+7J0XrW9m/XdlrMNykL3MphrWrBoWRJ2JcFb+YwsqIVop+HlMbghwxlJvHdxiXmA19qM6UIWuj1KipMIeFLPAC9FSngOvtapHJ093kqL1YorSmeQpGhca7gaEfVPh4u3eP0sHHy/EcJAO4a9dS3kZJ3MsdQWprJmb0nYGQJtjpsx944pfOpb1CbQpDXNFOikbcQ3spG2sBXEQ2DOiP7kzj53YcbZYP0N4nuACXeGlgkRkShu25pcQ+p8XFkxvNte2JlqFWL1dMcLMkAbwuKv8f8hYeQRsa74UtOsEuogT/jcE7d+RtTOkDF4r4wmI+II59UE8NSXlJ9SMn5z+bYqlLpvPSNx62yJqrPyeCCm1SAIBDJf833h0Wb64iPp811QaE3igr9uZp7H2SwA1VQiaQ8bpuW8iJaDwxkdKmKAhYTLunXTiF/cLtkgRmEfhJKD2rQGoDsATdZ3ufT/FI0yT+lSiFuJrsJohR1dI2vgM6YeYLft7Mv+vdarunhNBiRR5wnHUmyf4ErxMZOEgDdg930nBuCfm/yP+62P+PxCQibzPok7ro3ZNcD5I5eaV0PKyhGmKsFWLatVcKEBfytbOjL1Zq+FTMEO/91dGSmYpAM7bTClsGAqgWNC4+jr8bzhi4TfTAMVz6hHmegLBlelISZdNtzL1SUktUNW1ygxR/Pfw1872ivj9GVDJKNT4SyqSiZybhiAKsBSGnUMuFMeEcjcgucRHeNQdYynDEGzcxxYqISGA0wqCkn1rKKuRmYfczsdfj1Kvl2cU5mtTyF+1xSBi4bVX+QueSZdf0+3CjQG3galVi+D4M5u794HRkAdlz1v7NcG2ZYy1xDs/+B0gkybOv3zj34TwqgvFD+OTitVLP4sLIuXwy0Xt2/jT+doR1hew3y5mhiIRHRkMcPMTfV+ez4RobAHgqJXhY41r5X4Fu0eWuu+eb5WuLbUvUEqPg+glv4XYtLTTwb6oYGK/K4fQacQnSPHqJnOousMEnV++FAQM6Q2r0vZvrW5JTD6KwaukoI+nJ7Qgtk3+S//P6jol0aSUr0F8aJdocEhgLQxFtLyOJtA84eHYN9CoknyK6Ie2prIYAmr9E8TielAuGn8q/cx9MZ+jfkSTP7Gy5JEFbPUsulO2ZOh1KMrz+moEA25AwurrAWOyLrakVzZRuhxOGOk83j6iI6wh5ykTSsoVotQ7iYIyuURuyQ6+MkLSfso3PL45sd5mLNLNVD6nLCo7E9vg8NDaohPdjdWsi+v8DkF994MZK75lj8nSqGvjrXTis7d59M9P5df0cjpYWAuShXXNTB51RK6EWGpoBVN9vEjmLGO9ykpQpA0cKjx4HunA0PY6OOuMS54lgbMgZ777eGrEJlefYicVyqDEjv2AssWSf6ye3S9TnR2TQnVUhXJv1BS2I1VKuN/P3/1WtaeaJQWA6J0PbjRNP/CKEGLZrzWOPM3BHU08LKVGMhEliCHbfNyC+QHyQXhRwY3naxGJ8JJDSwed+PY867C4QD2TP9FMamFn8FdHguQw/U/UXIi2JbbematkKK4qPyg2/yYIS3ka80Dt7+dDczxuD75DhHouyIbQqVFLKbd8EC0dD0Bowwek5X2e9fI0xGVjFN3EzNfW2O7oTxiASkWUpCnrT58TJ5zrBbNdCWazfQsTL+Az3VCBhP1nK5bZhbl8KKn3+x0lYU9kAd7R4tvWRxM/u1SfuflGIPfGQ1tf/a1pbyQZWKfvZCG0Y0TECOQndDpqZC3uLRRTvzkS+6fSPMWLonUxl6oPY5Z65HOsbMHeEasa84WH6zoZo394YbnwF1ElatH0kIDxV5Z4XIRQTXH92DkVvxDT9ccV2dYiODUM6XAPAeaiCxL6BVYpb8MU5wBRsSeIPXnpvC9tRHb93fl4RiUE4jWYC8RzdiMydf44DECrAIwssGyccGENrlasWL18Aqg//ZthIQUA+gpEVgD4WmGZKeR7SeASJs7wMrC2CGUlBRJb6+U+2hjzOcyNwpM+yOZVEnT7BH1qa/qdJphDv7InVPw4zGfVGkLHmS6j9vVcUpWuptUj+0YmgGhGn/0lckXaUBZn8y6RGEtQAqMh21sDMpOHNpT2LWogy6MZFxEZh8pIK33XI58sk+aIMwzcIiuHA6hwNbY+Cwtiznzp4t6lfOtEUuRsBiun+TNVPdM1agepaI4mHyh+jsHqh8CuMnT1kz3tzF/WMDV3qwXeU19ZMPINVoWiYzXwsV8DDqX9GlYWfbLB2mnRlgr4cEdIYdw75gRnj6MwmbUgypEX5UyqeheRv/+LXFYd5uFCzxQPueayx42tvTi24hPxOg+FHj86UtzAs5UoT574lvOm9oTLPBgLvScVyXlOQgVu+8EG+KWgokVyFyItgMU7tMkZWpdCQBFrNY6Z4uiSs689yJszHT1C37z9OsrQQtNeXSJASHJXGRXNBOwGRPg5v8B5BAch8ume+tTA5LC7YWluZjU6KByn6+PNTPgHyVh7UU7YEnIOwwdIoVJXwagIvnjrMMgt1nu/oS/7pGwmLQXsbzlwXfKOSWTGGTKPkS0lLck3ly0gWQ6fB34vtY/EgmFR1hu2AfzS3/OtVKa3hDTBHoy+NArHLDml2+583CQCIwHdCbCNAacZyo/IaEi8UcVkZL2zEuRQt0Y1nT19I11LEKf56u5aTrvsoRx958xp3ZVjNePJtQUjZGlUlgWuHHnNbRByuGf+8xIUPwenWUSMrwyPWPazibqmWX15A7QqO9/rnRy/+ff0pUvjxXT8mhcN8v4uFKUOwMjYtH15DHJCkXhSzZhEg8hLzbE8PjeSyR+x9OOVvZeEfT1D28o14GoKPSuKT79QUPgVdMpc2Jcs/VhGiT5wqwhZtyPBBSfbfjIP1XJrTlIRchpoCF9C4kJKusG1jddcYEX5eS34mgPah31aRnKmrN2CLQYOGuEB4jDVOVKfuApJ9/Id0xzzRLXo++H9Y7KqWCuvVmZ95qEGq+gqLazxrFFuhWEHa4UncAJ7LQ0hgiBlB3zsyf/EEDlbKMTXk6VEH18F8SJUluSs9jbjZIDNTl5LPyVj2zykwta5wHlidTOCbiQSioezWDBxOQ/Di1Qea0yb92zBIe0A/jIfA4x010BdFBmA3W7zt3+fnpQLjptoZ1Hew5CbUji2EUoMIJcZeM5wFbwTtfyK6nBC1eNwktgEH6XBYnM5KcOHeD1kBvRVD2z6hF3tiarpx401j/sv8Qk2aGfmdMKMbOoTg6bXwSunYsnAa1s5decI5or/2dV2hVQkkI6JoxcqbLVsB2NR/eOgWX0vXBjGT6cXLiciLq4lz7vUJJU7n/293CrrS109hHepIlPetWCmg2RV18rbsvFnz7CFrWlwGCFg+EkV2Tym2I8P/GPa2QH9q3CsvwpeF3tf6KrhR55ljfBC0NYGzXPTdDnisdkHqQ9khImWWbW2UmytRhqxT1dTn8u/2IH0hslU3EVAq87sNpqsoeghIBJy18tk7AxOEh+uwLxWW0z92IYndJqQC2x1PyzNBVSZ9ogay48LFMAzzSh421f2p12OB7jDSaNS0SOzBUm0ji8gj85vHJPLQ0bQFaPnhZ4qX8irlT8O5jPEFvkV27NEpD2ccNIWptGgz7uEnhLWEVfwtY7MxCH30bwKt06qZv1NBFAJpTNzOgCMVPZQkHWHtR8laDNBqM6gaRuDwz91rhUSrR2S9VvRUVNfqQ4G3KV2/WfQmUeiMRXDDOpStGdKErwqQ0e/77CU5+DHFTO/ZHxl4hrYkZQFFIkw2Y3D8JSNG7Rgi+KV5QtjcO24rKs0zVvibwo/JlF6LVy7a0FO6FqUE5dsBUDOGYxmTR5TZNcknGrFQ3XhlHh2dNFMuPss8oxs6l0LPp9ox9hVYk/MeL7+ROIeNGBpjhr+wSjU59YjiS6SHxCRbtUWzYnJ0RLDBKwWs+7lEVRvmBHFiyCBCdwIagxV4ASe2+e4/aHL/RAfnByDkUkULdO2dXp1cWT1FuwJ6yLEekCPkdN2tO9MbO9nQ+HwuFM6gVAfdZyDt/NTYry3Fry23OJEzYweSvoeAWsg== + template: + metadata: + creationTimestamp: null + name: ss-secret + namespace: cert-manager + type: Opaque diff --git a/kube-test/apps/cert-manager/self-signed/secret.yml b/kube-test/apps/cert-manager/self-signed/secret.yml new file mode 100644 index 00000000..e69de29b diff --git a/kube-test/apps/cert-manager/self-signed/ss-secret.yml b/kube-test/apps/cert-manager/self-signed/ss-secret.yml deleted file mode 100644 index 131b8ca6..00000000 --- a/kube-test/apps/cert-manager/self-signed/ss-secret.yml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: ss-secret - namespace: cert-manager -type: Opaque -data: - tls.crt: "" - tls.key: "" \ No newline at end of file diff --git a/kube-test/apps/sealed-secrets/sealed-secrets.yml b/kube-test/apps/sealed-secrets/sealed-secrets.yml new file mode 100644 index 00000000..e6b82e10 --- /dev/null +++ b/kube-test/apps/sealed-secrets/sealed-secrets.yml @@ -0,0 +1,401 @@ +--- +apiVersion: v1 +kind: Service +metadata: + annotations: {} + labels: + name: sealed-secrets-controller-metrics + name: sealed-secrets-controller-metrics + namespace: kube-system +spec: + ports: + - port: 8081 + targetPort: 8081 + selector: + name: sealed-secrets-controller + type: ClusterIP +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-key-admin +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-key-admin + name: sealed-secrets-key-admin + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: secrets-unsealer + name: secrets-unsealer +rules: +- apiGroups: + - bitnami.com + resources: + - sealedsecrets + verbs: + - get + - list + - watch +- apiGroups: + - bitnami.com + resources: + - sealedsecrets/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +spec: + minReadySeconds: 30 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: sealed-secrets-controller + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + annotations: {} + labels: + name: sealed-secrets-controller + spec: + containers: + - args: [] + command: + - controller + env: [] + image: docker.io/bitnami/sealed-secrets-controller:0.26.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: http + name: sealed-secrets-controller + ports: + - containerPort: 8080 + name: http + - containerPort: 8081 + name: metrics + readinessProbe: + httpGet: + path: /healthz + port: http + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + stdin: false + tty: false + volumeMounts: + - mountPath: /tmp + name: tmp + imagePullSecrets: [] + initContainers: [] + securityContext: + fsGroup: 65534 + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault + serviceAccountName: sealed-secrets-controller + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: tmp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sealedsecrets.bitnami.com +spec: + group: bitnami.com + names: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SealedSecret is the K8s representation of a "sealed Secret" - + a regular k8s Secret that has been sealed (encrypted) using the controller's + key. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SealedSecretSpec is the specification of a SealedSecret + properties: + data: + description: Data is deprecated and will be removed eventually. Use + per-value EncryptedData instead. + format: byte + type: string + encryptedData: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + template: + description: Template defines the structure of the Secret that will + be created from this sealed secret. + properties: + data: + additionalProperties: + type: string + description: Keys that should be templated using decrypted data + nullable: true + type: object + immutable: + description: Immutable, if set to true, ensures that data stored + in the Secret cannot be updated (only object metadata can be + modified). If not set to true, the field can be modified at + any time. Defaulted to nil. + type: boolean + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + nullable: true + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: + description: Used to facilitate programmatic handling of secret + data. + type: string + type: object + required: + - encryptedData + type: object + status: + description: SealedSecretStatus is the most recently observed status of + the SealedSecret. + properties: + conditions: + description: Represents the latest available observations of a sealed + secret's current state. + items: + description: SealedSecretCondition describes the state of a sealed + secret at a certain point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: 'Status of the condition for a sealed secret. Valid + values for "Synced": "True", "False", or "Unknown".' + type: string + type: + description: 'Type of condition for a sealed secret. Valid value: + "Synced"' + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration reflects the generation most recently + observed by the sealed-secrets controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-service-proxier + name: sealed-secrets-service-proxier + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-service-proxier +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: sealed-secrets-service-proxier + name: sealed-secrets-service-proxier + namespace: kube-system +rules: +- apiGroups: + - "" + resourceNames: + - sealed-secrets-controller + resources: + - services + verbs: + - get +- apiGroups: + - "" + resourceNames: + - 'http:sealed-secrets-controller:' + - http:sealed-secrets-controller:http + - sealed-secrets-controller + resources: + - services/proxy + verbs: + - create + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + name: sealed-secrets-controller + type: ClusterIP +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: {} + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-unsealer +subjects: +- kind: ServiceAccount + name: sealed-secrets-controller + namespace: kube-system diff --git a/kube-test/registry/sealed-secrets.yml b/kube-test/registry/sealed-secrets.yml new file mode 100644 index 00000000..779dcf2a --- /dev/null +++ b/kube-test/registry/sealed-secrets.yml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sealed-secrets + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: 'https://github.com/mrpbennett/home-ops.git' + path: kube-test/apps/sealed-secrets + targetRevision: HEAD + directory: + recurse: true + destination: + server: 'https://kubernetes.default.svc' + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 5m0s + factor: 2 \ No newline at end of file