Permission based on tags

2025-10-30 09:53:04 +00:00 · 2022-01-06 22:59:01 +02:00
parent b74ab73aba
commit 36b55101a3
2 changed files with 2 additions and 1 deletions
--- a/oracle/init/account.tf
+++ b/oracle/init/account.tf
@@ -56,5 +56,5 @@ resource "oci_identity_dynamic_group" "ccm" {
  compartment_id = var.tenancy_ocid
  name           = "oci-ccm"
  description    = "dynamic group created by terraform for oci-cloud-controller-manager"
-  matching_rule  = "ANY {instance.compartment.id = '${oci_identity_compartment.project.id}'}"
+  matching_rule  = "ALL {instance.compartment.id = '${oci_identity_compartment.project.id}', tag.Kubernetes.Role.value = 'contolplane'}"
 }
--- a/oracle/templates/controlplane.yaml.tpl
+++ b/oracle/templates/controlplane.yaml.tpl
@@ -72,5 +72,6 @@ cluster:
    enabled: true
    manifests:
      - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/oci-cloud-controller-manager.yaml
+      - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/kubelet-serving-cert-approver.yaml
      - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/metrics-server.yaml
      - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/local-path-storage.yaml