Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove csi-driver-spiffe approver #107

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 0 additions & 34 deletions cmd/approver/main.go

This file was deleted.

File renamed without changes.
135 changes: 8 additions & 127 deletions deploy/charts/csi-driver-spiffe/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,50 +13,27 @@ For example:

```yaml
registry: quay.io
repository:
driver: jetstack/cert-manager-csi-driver-spiffe
approver: jetstack/cert-manager-csi-driver-spiffe-approver
repository: jetstack/cert-manager-csi-driver-spiffe
```

#### **image.repository.driver** ~ `string`
#### **image.repository** ~ `string`
> Default value:
> ```yaml
> quay.io/jetstack/cert-manager-csi-driver-spiffe
> ```

Target image repository for the csi-driver driver DaemonSet.
#### **image.repository.approver** ~ `string`
> Default value:
> ```yaml
> quay.io/jetstack/cert-manager-csi-driver-spiffe-approver
> ```

Target image repository for the csi-driver approver Deployment.
Target image repository.
#### **image.tag** ~ `string`

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

#### **image.digest** ~ `object`
> Default value:
> ```yaml
> {}
> ```
#### **image.digest.driver** ~ `string`

Target csi-driver driver digest. Override any tag, if set.
For example:

```yaml
driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
```

#### **image.digest.approver** ~ `string`
#### **image.digest** ~ `string`

Target csi-driver approver digest. Override any tag, if set.
Target image digest. Override any tag, if set.
For example:

```yaml
approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
```

#### **image.pullPolicy** ~ `string`
Expand All @@ -65,14 +42,14 @@ approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb2
> IfNotPresent
> ```

Kubernetes imagePullPolicy on DaemonSet.
Kubernetes imagePullPolicy on Deployment.
#### **imagePullSecrets** ~ `array`
> Default value:
> ```yaml
> []
> ```

Optional secrets used for pulling the csi-driver-spiffe and csi-driver-spiffe-approver container images
Optional secrets used for pulling the csi-driver-spiffe container image

For example:

Expand Down Expand Up @@ -316,102 +293,6 @@ Kubernetes imagePullPolicy on liveness probe.
> ```

The port that will expose the liveness of the csi-driver
#### **app.approver.replicaCount** ~ `number`
> Default value:
> ```yaml
> 1
> ```

Number of replicas of the approver to run.
#### **app.approver.signerName** ~ `string`
> Default value:
> ```yaml
> clusterissuers.cert-manager.io/*
> ```

The signer name that csi-driver-spiffe approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See: https://cert-manager.io/docs/concepts/certificaterequest/#approval
#### **app.approver.readinessProbe.port** ~ `number`
> Default value:
> ```yaml
> 6060
> ```

Container port to expose csi-driver-spiffe-approver HTTP readiness probe on default network interface.
#### **app.approver.metrics.port** ~ `number`
> Default value:
> ```yaml
> 9402
> ```

Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
#### **app.approver.metrics.service.enabled** ~ `bool`
> Default value:
> ```yaml
> true
> ```

Create a Service resource to expose metrics endpoint.
#### **app.approver.metrics.service.type** ~ `string`
> Default value:
> ```yaml
> ClusterIP
> ```

Service type to expose metrics.
#### **app.approver.metrics.service.servicemonitor.enabled** ~ `bool`
> Default value:
> ```yaml
> false
> ```

Create Prometheus ServiceMonitor resource for cert-manager-csi-driver-spiffe approver.
#### **app.approver.metrics.service.servicemonitor.prometheusInstance** ~ `string`
> Default value:
> ```yaml
> default
> ```

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.
#### **app.approver.metrics.service.servicemonitor.interval** ~ `string`
> Default value:
> ```yaml
> 10s
> ```

The interval that the Prometheus will scrape for metrics.
#### **app.approver.metrics.service.servicemonitor.scrapeTimeout** ~ `string`
> Default value:
> ```yaml
> 5s
> ```

The timeout on each metric probe request.
#### **app.approver.metrics.service.servicemonitor.labels** ~ `object`
> Default value:
> ```yaml
> {}
> ```

Additional labels to give the ServiceMonitor resource.
#### **app.approver.resources** ~ `object`
> Default value:
> ```yaml
> {}
> ```

Kubernetes pod resource limits for cert-manager-csi-driver-spiffe approver

For example:

```yaml
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
```
#### **priorityClassName** ~ `string`
> Default value:
> ```yaml
Expand Down
29 changes: 0 additions & 29 deletions deploy/charts/csi-driver-spiffe/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -42,32 +42,3 @@ See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linke
{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
{{- end }}
{{- end }}

{{/*
Variants of the above image template which are addapted for the custom values format used in this chart:
registry: quay.io
repository:
driver: jetstack/cert-manager-csi-driver-spiffe
approver: jetstack/cert-manager-csi-driver-spiffe-approver
tag: vX.Y.Z
digest:
driver: sha256:...
approver: sha256:...
pullPolicy: IfNotPresent
*/}}
{{- define "image-driver" -}}
{{- $defaultTag := index . 1 -}}
{{- with index . 0 -}}
{{- if .registry -}}{{ printf "%s/%s" .registry .repository.driver }}{{- else -}}{{- .repository.driver -}}{{- end -}}
{{- if .digest.driver -}}{{ printf "@%s" .digest.driver }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
{{- end }}
{{- end }}

{{- define "image-approver" -}}
{{- $defaultTag := index . 1 -}}
{{- with index . 0 -}}
{{- if .registry -}}{{ printf "%s/%s" .registry .repository.approver }}{{- else -}}{{- .repository.approver -}}{{- end -}}
{{- if .digest.approver -}}{{ printf "@%s" .digest.approver }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
{{- end }}
{{- end }}

22 changes: 0 additions & 22 deletions deploy/charts/csi-driver-spiffe/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,25 +8,3 @@ rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificaterequests"]
verbs: ["watch", "create", "delete", "list"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{- include "cert-manager-csi-driver-spiffe.labels" . | nindent 4 }}
name: {{ include "cert-manager-csi-driver-spiffe.name" . }}-approver
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificaterequests"]
verbs: ["list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificaterequests/status"]
verbs: ["update"]

- apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames: ["{{.Values.app.approver.signerName}}"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
15 changes: 0 additions & 15 deletions deploy/charts/csi-driver-spiffe/templates/clusterrolebinding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,18 +12,3 @@ subjects:
- kind: ServiceAccount
name: {{ include "cert-manager-csi-driver-spiffe.name" . }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{- include "cert-manager-csi-driver-spiffe.labels" . | nindent 4 }}
name: {{ include "cert-manager-csi-driver-spiffe.name" . }}-approver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-csi-driver-spiffe.name" . }}-approver
subjects:
- kind: ServiceAccount
name: {{ include "cert-manager-csi-driver-spiffe.name" . }}-approver
namespace: {{ .Release.Namespace }}
2 changes: 1 addition & 1 deletion deploy/charts/csi-driver-spiffe/templates/daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ spec:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
runAsUser: 0
image: "{{ template "image-driver" (tuple .Values.image $.Chart.AppVersion) }}"
image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args :
- --log-level={{ .Values.app.logLevel }}
Expand Down
54 changes: 0 additions & 54 deletions deploy/charts/csi-driver-spiffe/templates/deployment.yaml

This file was deleted.

19 changes: 0 additions & 19 deletions deploy/charts/csi-driver-spiffe/templates/metrics-service.yaml

This file was deleted.

Loading