mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-17 10:27:17 -05:00
db5468a886
Add image pull secret for ghcr.io
163 lines
3.8 KiB
Go
163 lines
3.8 KiB
Go
package resources
|
|
|
|
import (
|
|
"github.com/edgelesssys/constellation/internal/constants"
|
|
"github.com/edgelesssys/constellation/internal/secrets"
|
|
apps "k8s.io/api/apps/v1"
|
|
k8s "k8s.io/api/core/v1"
|
|
rbac "k8s.io/api/rbac/v1"
|
|
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
type kmsDeployment struct {
|
|
ServiceAccount k8s.ServiceAccount
|
|
ClusterRole rbac.ClusterRole
|
|
ClusterRoleBinding rbac.ClusterRoleBinding
|
|
Deployment apps.Deployment
|
|
MasterSecret k8s.Secret
|
|
ImagePullSecret k8s.Secret
|
|
}
|
|
|
|
const (
|
|
kmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:latest"
|
|
)
|
|
|
|
// NewKMSDeployment creates a new *kmsDeployment to use as the key management system inside Constellation.
|
|
func NewKMSDeployment(masterSecret []byte) *kmsDeployment {
|
|
return &kmsDeployment{
|
|
ServiceAccount: k8s.ServiceAccount{
|
|
TypeMeta: meta.TypeMeta{
|
|
APIVersion: "v1",
|
|
Kind: "ServiceAccount",
|
|
},
|
|
ObjectMeta: meta.ObjectMeta{
|
|
Name: "kms",
|
|
Namespace: "kube-system",
|
|
},
|
|
},
|
|
ClusterRole: rbac.ClusterRole{
|
|
TypeMeta: meta.TypeMeta{
|
|
APIVersion: "rbac.authorization.k8s.io/v1",
|
|
Kind: "ClusterRole",
|
|
},
|
|
ObjectMeta: meta.ObjectMeta{
|
|
Name: "kms",
|
|
Labels: map[string]string{
|
|
"k8s-app": "kms",
|
|
},
|
|
},
|
|
Rules: []rbac.PolicyRule{
|
|
{
|
|
APIGroups: []string{""},
|
|
Resources: []string{"secrets"},
|
|
Verbs: []string{"get"},
|
|
},
|
|
},
|
|
},
|
|
ClusterRoleBinding: rbac.ClusterRoleBinding{
|
|
TypeMeta: meta.TypeMeta{
|
|
APIVersion: "rbac.authorization.k8s.io/v1",
|
|
Kind: "ClusterRoleBinding",
|
|
},
|
|
ObjectMeta: meta.ObjectMeta{
|
|
Name: "kms",
|
|
},
|
|
RoleRef: rbac.RoleRef{
|
|
APIGroup: "rbac.authorization.k8s.io",
|
|
Kind: "ClusterRole",
|
|
Name: "kms",
|
|
},
|
|
Subjects: []rbac.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Name: "kms",
|
|
Namespace: "kube-system",
|
|
},
|
|
},
|
|
},
|
|
Deployment: apps.Deployment{
|
|
TypeMeta: meta.TypeMeta{
|
|
APIVersion: "apps/v1",
|
|
Kind: "Deployment",
|
|
},
|
|
ObjectMeta: meta.ObjectMeta{
|
|
Labels: map[string]string{
|
|
"k8s-app": "kms",
|
|
},
|
|
Name: "kms",
|
|
Namespace: "kube-system",
|
|
},
|
|
Spec: apps.DeploymentSpec{
|
|
Selector: &meta.LabelSelector{
|
|
MatchLabels: map[string]string{
|
|
"k8s-app": "kms",
|
|
},
|
|
},
|
|
Template: k8s.PodTemplateSpec{
|
|
ObjectMeta: meta.ObjectMeta{
|
|
Labels: map[string]string{
|
|
"k8s-app": "kms",
|
|
},
|
|
},
|
|
Spec: k8s.PodSpec{
|
|
ImagePullSecrets: []k8s.LocalObjectReference{
|
|
{
|
|
Name: secrets.PullSecretName,
|
|
},
|
|
},
|
|
Volumes: []k8s.Volume{
|
|
{
|
|
Name: "mastersecret",
|
|
VolumeSource: k8s.VolumeSource{
|
|
Secret: &k8s.SecretVolumeSource{
|
|
SecretName: constants.ConstellationMasterSecretStoreName,
|
|
Items: []k8s.KeyToPath{
|
|
{
|
|
Key: constants.ConstellationMasterSecretKey,
|
|
Path: "constellation-mastersecret.base64",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
ServiceAccountName: "kms",
|
|
Containers: []k8s.Container{
|
|
{
|
|
Name: "kms",
|
|
Image: kmsImage,
|
|
VolumeMounts: []k8s.VolumeMount{
|
|
{
|
|
Name: "mastersecret",
|
|
ReadOnly: true,
|
|
MountPath: "/constellation/",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
MasterSecret: k8s.Secret{
|
|
TypeMeta: meta.TypeMeta{
|
|
APIVersion: "v1",
|
|
Kind: "Secret",
|
|
},
|
|
ObjectMeta: meta.ObjectMeta{
|
|
Name: constants.ConstellationMasterSecretStoreName,
|
|
Namespace: "kube-system",
|
|
},
|
|
Data: map[string][]byte{
|
|
constants.ConstellationMasterSecretKey: masterSecret,
|
|
},
|
|
Type: "Opaque",
|
|
},
|
|
ImagePullSecret: NewImagePullSecret(),
|
|
}
|
|
}
|
|
|
|
func (c *kmsDeployment) Marshal() ([]byte, error) {
|
|
return MarshalK8SResources(c)
|
|
}
|