starred/holos
1
0
Fork 0
mirror of https://github.com/holos-run/holos.git synced 2026-03-20 01:04:59 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity
142 Commits 25 Branches 180 Tags
b86fee04fc5e6abeb4e3fa040b274069c19ca425
Commit Graph

4 Commits

Author SHA1 Message Date
Jeff McCune
646f6fcdb0 (#30) Add https redirect overlay resources 
This patch migrates the https redirect and the
istio-ingressgateway-loopback Service from
`holos-infra/components/core/istio/ingress/templates/deployment`
 2024-03-02 15:01:58 -08:00
Jeff McCune
6b156e9883 (#22) Label ns ceph-system with pod-security enforce: privileged 
This patch adds the `pod-security.kubernetes.io/enforce: privileged`
label to the ceph-system namespace.

The Namespace resources are managed all over the map, it would be a good
idea to consolidate the PlatformNamespaces data into one well known
place for the entire platform.  Eschewing for now.
 2024-02-28 15:57:01 -08:00
Jeff McCune
fd306aae76 Pod eso-creds-refresher authenticates to provisioner 
This patch adds a ConfigMap and Pod to the eso-creds-refresher
component.  The Pod executes the gcloud container, impersonates the
eso-creds-refresher iam service account using workload identity, then
authenticates to the remote provisioner cluster.

This is the foundation for a script to automatically create Secret API
objects in a workload cluster which have a kubernetes service account
token ESO SecretStore resources can use to fetch secrets from the
provisioner cluster.

Once we have that script in place we can turn this Pod into a Job and
replace Vault.
 2024-02-20 17:45:43 -08:00
Jeff McCune
5bf2b85036 Refactor namespaces separate from eso-creds-refresher 
Manage namespaces in a separate component so we can easily run the
eso-creds-refresher component through kubectl delete -f- without
deleting the namespace.

For the k2 cluster:

```
❯ holos build ./platforms/reference/clusters/workload/... | k apply --server-side=true -f-
serviceaccount/eso-creds-refresher serverside-applied
clusterrole.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
namespace/holos-system serverside-applied
namespace/flux-system serverside-applied
namespace/ceph-system serverside-applied
namespace/istio-system serverside-applied
namespace/istio-ingress serverside-applied
namespace/cert-manager serverside-applied
namespace/argocd serverside-applied
```

For the provisioner cluster:

```
❯ holos build ./platforms/reference/clusters/provisioner/... | k apply --server-side=true -f-
clusterrolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-creds-refresher serverside-applied
serviceaccount/eso-reader serverside-applied
role.rbac.authorization.k8s.io/eso-reader serverside-applied
rolebinding.rbac.authorization.k8s.io/eso-reader serverside-applied
serviceaccount/eso-writer serverside-applied
role.rbac.authorization.k8s.io/eso-writer serverside-applied
namespace/holos-system serverside-applied
namespace/flux-system serverside-applied
namespace/ceph-system serverside-applied
namespace/istio-system serverside-applied
namespace/istio-ingress serverside-applied
namespace/cert-manager serverside-applied
namespace/argocd serverside-applied
```
 2024-02-20 15:40:32 -08:00