Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / roles / secretgen_controller / templates / release.yml.tpl
blob: a976db28b69449eb4c36d7ec2b977fe74ac37fdd [file] [log] [blame]
Oleksandr Kb9a55a32024-01-17 19:14:21 +0100[diff] [blame]1# https://github.com/carvel-dev/secretgen-controller/releases/download/v0.16.0/release.yml
2---
3apiVersion: v1
4kind: Namespace
5metadata:
6 name: secretgen-controller
7---
8apiVersion: apiextensions.k8s.io/v1
9kind: CustomResourceDefinition
10metadata:
11 name: secretexports.secretgen.carvel.dev
12spec:
13 group: secretgen.carvel.dev
14 names:
15 kind: SecretExport
16 listKind: SecretExportList
17 plural: secretexports
18 singular: secretexport
19 scope: Namespaced
20 versions:
21 - additionalPrinterColumns:
22 - description: Friendly description
23 jsonPath: .status.friendlyDescription
24 name: Description
25 type: string
26 - description: Time since creation
27 jsonPath: .metadata.creationTimestamp
28 name: Age
29 type: date
30 name: v1alpha1
31 schema:
32 openAPIV3Schema:
33 properties:
34 apiVersion:
35 description: 'APIVersion defines the versioned schema of this representation
36 of an object. Servers should convert recognized schemas to the latest
37 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
38 type: string
39 kind:
40 description: 'Kind is a string value representing the REST resource this
41 object represents. Servers may infer this from the endpoint the client
42 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
43 type: string
44 metadata:
45 type: object
46 spec:
47 properties:
48 dangerousToNamespacesSelector:
49 items:
50 properties:
51 key:
52 description: Property to target the resource for the match.
53 It supports dot notation.
54 type: string
55 operator:
56 description: Type of comparison.
57 enum:
58 - In
59 - NotIn
60 - Exists
61 - DoesNotExist
62 type: string
63 values:
64 description: Values to match on the resource key using the comparison
65 operator.
66 items:
67 type: string
68 type: array
69 required:
70 - key
71 - operator
72 type: object
73 type: array
74 toNamespace:
75 type: string
76 toNamespaces:
77 items:
78 type: string
79 type: array
80 type: object
81 status:
82 properties:
83 conditions:
84 items:
85 properties:
86 message:
87 description: Human-readable message indicating details about
88 last transition.
89 type: string
90 reason:
91 description: Unique, this should be a short, machine understandable
92 string that gives the reason for condition's last transition.
93 If it reports "ResizeStarted" that means the underlying persistent
94 volume is being resized.
95 type: string
96 status:
97 type: string
98 type:
99 type: string
100 type: object
101 type: array
102 friendlyDescription:
103 type: string
104 observedGeneration:
105 format: int64
106 type: integer
107 observedSecretResourceVersion:
108 type: string
109 type: object
110 required:
111 - spec
112 type: object
113 served: true
114 storage: true
115 subresources:
116 status: {}
117---
118apiVersion: apiextensions.k8s.io/v1
119kind: CustomResourceDefinition
120metadata:
121 name: secretimports.secretgen.carvel.dev
122spec:
123 group: secretgen.carvel.dev
124 names:
125 kind: SecretImport
126 listKind: SecretImportList
127 plural: secretimports
128 singular: secretimport
129 scope: Namespaced
130 versions:
131 - additionalPrinterColumns:
132 - description: Friendly description
133 jsonPath: .status.friendlyDescription
134 name: Description
135 type: string
136 - description: Time since creation
137 jsonPath: .metadata.creationTimestamp
138 name: Age
139 type: date
140 name: v1alpha1
141 schema:
142 openAPIV3Schema:
143 properties:
144 apiVersion:
145 description: 'APIVersion defines the versioned schema of this representation
146 of an object. Servers should convert recognized schemas to the latest
147 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
148 type: string
149 kind:
150 description: 'Kind is a string value representing the REST resource this
151 object represents. Servers may infer this from the endpoint the client
152 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
153 type: string
154 metadata:
155 type: object
156 spec:
157 properties:
158 fromNamespace:
159 type: string
160 type: object
161 status:
162 properties:
163 conditions:
164 items:
165 properties:
166 message:
167 description: Human-readable message indicating details about
168 last transition.
169 type: string
170 reason:
171 description: Unique, this should be a short, machine understandable
172 string that gives the reason for condition's last transition.
173 If it reports "ResizeStarted" that means the underlying persistent
174 volume is being resized.
175 type: string
176 status:
177 type: string
178 type:
179 type: string
180 type: object
181 type: array
182 friendlyDescription:
183 type: string
184 observedGeneration:
185 format: int64
186 type: integer
187 type: object
188 required:
189 - spec
190 type: object
191 served: true
192 storage: true
193 subresources:
194 status: {}
195---
196apiVersion: apiextensions.k8s.io/v1
197kind: CustomResourceDefinition
198metadata:
199 name: secrettemplates.secretgen.carvel.dev
200spec:
201 group: secretgen.carvel.dev
202 names:
203 kind: SecretTemplate
204 listKind: SecretTemplateList
205 plural: secrettemplates
206 singular: secrettemplate
207 scope: Namespaced
208 versions:
209 - additionalPrinterColumns:
210 - description: Friendly description
211 jsonPath: .status.friendlyDescription
212 name: Description
213 type: string
214 - description: Time since creation
215 jsonPath: .metadata.creationTimestamp
216 name: Age
217 type: date
218 name: v1alpha1
219 schema:
220 openAPIV3Schema:
221 description: SecretTemplate allows the construction of secrets using data
222 that reside in other Kubernetes resources
223 properties:
224 apiVersion:
225 description: 'APIVersion defines the versioned schema of this representation
226 of an object. Servers should convert recognized schemas to the latest
227 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
228 type: string
229 kind:
230 description: 'Kind is a string value representing the REST resource this
231 object represents. Servers may infer this from the endpoint the client
232 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
233 type: string
234 metadata:
235 type: object
236 spec:
237 description: SecretTemplateSpec contains spec information
238 properties:
239 inputResources:
240 description: A list of input resources that are used to construct
241 a new secret. Input Resources can refer to ANY Kubernetes API. If
242 loading more than Secrets types ensure that `.spec.ServiceAccountName`
243 is set to an appropriate value. Input resources are read in the
244 order they are defined. An Input resource's name can be evaluated
245 dynamically from data in a previously evaluated input resource.
246 items:
247 description: InputResource is references a single Kubernetes resource
248 along with a identifying name
249 properties:
250 name:
251 description: The name of InputResource. This is used as the
252 identifying name in templating to refer to this Input Resource.
253 type: string
254 ref:
255 description: The reference to the Input Resource
256 properties:
257 apiVersion:
258 type: string
259 kind:
260 type: string
261 name:
262 description: The name of the input resource. This field
263 can itself contain JSONPATH syntax to load the name dynamically
264 from other input resources. For example this field could
265 be set to a static value of "my-secret" or a dynamic valid
266 of "$(.anotherinputresource.spec.name)".
267 type: string
268 required:
269 - apiVersion
270 - kind
271 - name
272 type: object
273 required:
274 - name
275 - ref
276 type: object
277 type: array
278 serviceAccountName:
279 description: The Service Account used to read InputResources. If not
280 specified, only Secrets can be read as InputResources.
281 type: string
282 template:
283 description: A JSONPath based template that can be used to create
284 Secrets.
285 properties:
286 data:
287 additionalProperties:
288 type: string
289 description: 'Data key and value. Where key is the Secret Key
290 and the value is a jsonpath surrounded by $( ). The fetched
291 data MUST be base64 encoded. All InputResources are available
292 via their identifying name. For example: key1: $(.secretinput1.data.value1)
293 key2: $(.secretinput2.data.value2)'
294 type: object
295 metadata:
296 description: Metadata contains metadata for the Secret
297 properties:
298 annotations:
299 additionalProperties:
300 type: string
301 description: Annotations to be placed on the generated secret
302 type: object
303 labels:
304 additionalProperties:
305 type: string
306 description: Labels to be placed on the generated secret
307 type: object
308 type: object
309 stringData:
310 additionalProperties:
311 type: string
312 description: 'StringData key and value. Where key is the Secret
313 Key and the value can contain a JSONPATH syntax surrounded by
314 $( ). All InputResources are available via their identifying
315 name. For example: key1: static-text key2: $(.input1.spec.value1)
316 key3: combined-$(.input2.status.value2)-$(.input2.status.value3)'
317 type: object
318 type:
319 description: Type is the type of Kubernetes Secret
320 type: string
321 type: object
322 required:
323 - inputResources
324 type: object
325 status:
326 description: SecretTemplateStatus contains status information
327 properties:
328 conditions:
329 items:
330 properties:
331 message:
332 description: Human-readable message indicating details about
333 last transition.
334 type: string
335 reason:
336 description: Unique, this should be a short, machine understandable
337 string that gives the reason for condition's last transition.
338 If it reports "ResizeStarted" that means the underlying persistent
339 volume is being resized.
340 type: string
341 status:
342 type: string
343 type:
344 type: string
345 type: object
346 type: array
347 friendlyDescription:
348 type: string
349 observedGeneration:
350 format: int64
351 type: integer
352 observedSecretResourceVersion:
353 type: string
354 secret:
355 description: LocalObjectReference contains enough information to let
356 you locate the referenced object inside the same namespace.
357 properties:
358 name:
359 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
360 TODO: Add other useful fields. apiVersion, kind, uid?'
361 type: string
362 type: object
363 x-kubernetes-map-type: atomic
364 type: object
365 required:
366 - spec
367 type: object
368 served: true
369 storage: true
370 subresources:
371 status: {}
372---
373apiVersion: apiextensions.k8s.io/v1
374kind: CustomResourceDefinition
375metadata:
376 name: certificates.secretgen.k14s.io
377spec:
378 group: secretgen.k14s.io
379 names:
380 kind: Certificate
381 listKind: CertificateList
382 plural: certificates
383 singular: certificate
384 scope: Namespaced
385 versions:
386 - additionalPrinterColumns:
387 - description: Friendly description
388 jsonPath: .status.friendlyDescription
389 name: Description
390 type: string
391 - description: Time since creation
392 jsonPath: .metadata.creationTimestamp
393 name: Age
394 type: date
395 name: v1alpha1
396 schema:
397 openAPIV3Schema:
398 properties:
399 apiVersion:
400 description: 'APIVersion defines the versioned schema of this representation
401 of an object. Servers should convert recognized schemas to the latest
402 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
403 type: string
404 kind:
405 description: 'Kind is a string value representing the REST resource this
406 object represents. Servers may infer this from the endpoint the client
407 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
408 type: string
409 metadata:
410 type: object
411 spec:
412 properties:
413 alternativeNames:
414 items:
415 type: string
416 type: array
417 caRef:
418 description: LocalObjectReference contains enough information to let
419 you locate the referenced object inside the same namespace.
420 properties:
421 name:
422 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
423 TODO: Add other useful fields. apiVersion, kind, uid?'
424 type: string
425 type: object
426 x-kubernetes-map-type: atomic
427 commonName:
428 type: string
429 duration:
430 format: int64
431 type: integer
432 extendedKeyUsage:
433 items:
434 type: string
435 type: array
436 isCA:
437 type: boolean
438 organization:
439 type: string
440 secretTemplate:
441 properties:
442 metadata:
443 properties:
444 annotations:
445 additionalProperties:
446 type: string
447 type: object
448 labels:
449 additionalProperties:
450 type: string
451 type: object
452 type: object
453 stringData:
454 additionalProperties:
455 type: string
456 type: object
457 type:
458 type: string
459 type: object
460 type: object
461 status:
462 properties:
463 conditions:
464 items:
465 properties:
466 message:
467 description: Human-readable message indicating details about
468 last transition.
469 type: string
470 reason:
471 description: Unique, this should be a short, machine understandable
472 string that gives the reason for condition's last transition.
473 If it reports "ResizeStarted" that means the underlying persistent
474 volume is being resized.
475 type: string
476 status:
477 type: string
478 type:
479 type: string
480 type: object
481 type: array
482 friendlyDescription:
483 type: string
484 observedGeneration:
485 format: int64
486 type: integer
487 type: object
488 type: object
489 served: true
490 storage: true
491 subresources:
492 status: {}
493---
494apiVersion: apiextensions.k8s.io/v1
495kind: CustomResourceDefinition
496metadata:
497 name: passwords.secretgen.k14s.io
498spec:
499 group: secretgen.k14s.io
500 names:
501 kind: Password
502 listKind: PasswordList
503 plural: passwords
504 singular: password
505 scope: Namespaced
506 versions:
507 - additionalPrinterColumns:
508 - description: Friendly description
509 jsonPath: .status.friendlyDescription
510 name: Description
511 type: string
512 - description: Time since creation
513 jsonPath: .metadata.creationTimestamp
514 name: Age
515 type: date
516 name: v1alpha1
517 schema:
518 openAPIV3Schema:
519 properties:
520 apiVersion:
521 description: 'APIVersion defines the versioned schema of this representation
522 of an object. Servers should convert recognized schemas to the latest
523 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
524 type: string
525 kind:
526 description: 'Kind is a string value representing the REST resource this
527 object represents. Servers may infer this from the endpoint the client
528 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
529 type: string
530 metadata:
531 type: object
532 spec:
533 properties:
534 digits:
535 default: 0
536 type: integer
537 length:
538 default: 40
539 type: integer
540 lowercaseLetters:
541 default: 0
542 type: integer
543 secretTemplate:
544 properties:
545 metadata:
546 properties:
547 annotations:
548 additionalProperties:
549 type: string
550 type: object
551 labels:
552 additionalProperties:
553 type: string
554 type: object
555 type: object
556 stringData:
557 additionalProperties:
558 type: string
559 type: object
560 type:
561 type: string
562 type: object
563 symbolCharSet:
564 default: '!@#$%&*;.:'
565 type: string
566 symbols:
567 default: 0
568 type: integer
569 uppercaseLetters:
570 default: 0
571 type: integer
572 type: object
573 status:
574 properties:
575 conditions:
576 items:
577 properties:
578 message:
579 description: Human-readable message indicating details about
580 last transition.
581 type: string
582 reason:
583 description: Unique, this should be a short, machine understandable
584 string that gives the reason for condition's last transition.
585 If it reports "ResizeStarted" that means the underlying persistent
586 volume is being resized.
587 type: string
588 status:
589 type: string
590 type:
591 type: string
592 type: object
593 type: array
594 friendlyDescription:
595 type: string
596 observedGeneration:
597 format: int64
598 type: integer
599 type: object
600 type: object
601 served: true
602 storage: true
603 subresources:
604 status: {}
605---
606apiVersion: apiextensions.k8s.io/v1
607kind: CustomResourceDefinition
608metadata:
609 name: rsakeys.secretgen.k14s.io
610spec:
611 group: secretgen.k14s.io
612 names:
613 kind: RSAKey
614 listKind: RSAKeyList
615 plural: rsakeys
616 singular: rsakey
617 scope: Namespaced
618 versions:
619 - additionalPrinterColumns:
620 - description: Friendly description
621 jsonPath: .status.friendlyDescription
622 name: Description
623 type: string
624 - description: Time since creation
625 jsonPath: .metadata.creationTimestamp
626 name: Age
627 type: date
628 name: v1alpha1
629 schema:
630 openAPIV3Schema:
631 properties:
632 apiVersion:
633 description: 'APIVersion defines the versioned schema of this representation
634 of an object. Servers should convert recognized schemas to the latest
635 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
636 type: string
637 kind:
638 description: 'Kind is a string value representing the REST resource this
639 object represents. Servers may infer this from the endpoint the client
640 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
641 type: string
642 metadata:
643 type: object
644 spec:
645 properties:
646 secretTemplate:
647 properties:
648 metadata:
649 properties:
650 annotations:
651 additionalProperties:
652 type: string
653 type: object
654 labels:
655 additionalProperties:
656 type: string
657 type: object
658 type: object
659 stringData:
660 additionalProperties:
661 type: string
662 type: object
663 type:
664 type: string
665 type: object
666 type: object
667 status:
668 properties:
669 conditions:
670 items:
671 properties:
672 message:
673 description: Human-readable message indicating details about
674 last transition.
675 type: string
676 reason:
677 description: Unique, this should be a short, machine understandable
678 string that gives the reason for condition's last transition.
679 If it reports "ResizeStarted" that means the underlying persistent
680 volume is being resized.
681 type: string
682 status:
683 type: string
684 type:
685 type: string
686 type: object
687 type: array
688 friendlyDescription:
689 type: string
690 observedGeneration:
691 format: int64
692 type: integer
693 type: object
694 type: object
695 served: true
696 storage: true
697 subresources:
698 status: {}
699---
700apiVersion: apiextensions.k8s.io/v1
701kind: CustomResourceDefinition
702metadata:
703 name: sshkeys.secretgen.k14s.io
704spec:
705 group: secretgen.k14s.io
706 names:
707 kind: SSHKey
708 listKind: SSHKeyList
709 plural: sshkeys
710 singular: sshkey
711 scope: Namespaced
712 versions:
713 - additionalPrinterColumns:
714 - description: Friendly description
715 jsonPath: .status.friendlyDescription
716 name: Description
717 type: string
718 - description: Time since creation
719 jsonPath: .metadata.creationTimestamp
720 name: Age
721 type: date
722 name: v1alpha1
723 schema:
724 openAPIV3Schema:
725 properties:
726 apiVersion:
727 description: 'APIVersion defines the versioned schema of this representation
728 of an object. Servers should convert recognized schemas to the latest
729 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
730 type: string
731 kind:
732 description: 'Kind is a string value representing the REST resource this
733 object represents. Servers may infer this from the endpoint the client
734 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
735 type: string
736 metadata:
737 type: object
738 spec:
739 properties:
740 secretTemplate:
741 properties:
742 metadata:
743 properties:
744 annotations:
745 additionalProperties:
746 type: string
747 type: object
748 labels:
749 additionalProperties:
750 type: string
751 type: object
752 type: object
753 stringData:
754 additionalProperties:
755 type: string
756 type: object
757 type:
758 type: string
759 type: object
760 type: object
761 status:
762 properties:
763 conditions:
764 items:
765 properties:
766 message:
767 description: Human-readable message indicating details about
768 last transition.
769 type: string
770 reason:
771 description: Unique, this should be a short, machine understandable
772 string that gives the reason for condition's last transition.
773 If it reports "ResizeStarted" that means the underlying persistent
774 volume is being resized.
775 type: string
776 status:
777 type: string
778 type:
779 type: string
780 type: object
781 type: array
782 friendlyDescription:
783 type: string
784 observedGeneration:
785 format: int64
786 type: integer
787 type: object
788 type: object
789 served: true
790 storage: true
791 subresources:
792 status: {}
793---
794apiVersion: apps/v1
795kind: Deployment
796metadata:
797 annotations:
798 kbld.k14s.io/images: |
799 - origins:
800 - local:
801 path: /home/runner/work/secretgen-controller/secretgen-controller
802 - git:
803 dirty: true
804 remoteURL: https://github.com/carvel-dev/secretgen-controller
805 sha: d806899d96fcb5a07ff2e38f93e37884a3db2b1d
806 tags:
807 - v0.16.0
808 url: ghcr.io/carvel-dev/secretgen-controller@sha256:59ec05ce5847bfd70c8e04f08b5195e918c8f6fbb947ffc91b456494a2958fd5
809 secretgen-controller.carvel.dev/version: v0.16.0
810 name: secretgen-controller
811 namespace: secretgen-controller
812spec:
813 replicas: 1
814 revisionHistoryLimit: 0
815 selector:
816 matchLabels:
817 app: secretgen-controller
818 template:
819 metadata:
820 labels:
821 app: secretgen-controller
822 spec:
823 containers:
824 - image: "{{ atmosphere_images['secretgen_controller'] | vexxhost.kubernetes.docker_image('ref') }}"
825 name: secretgen-controller
826 resources:
827 requests:
828 cpu: 120m
829 memory: 100Mi
830 securityContext:
831 allowPrivilegeEscalation: false
832 capabilities:
833 drop:
834 - ALL
835 readOnlyRootFilesystem: true
836 runAsNonRoot: true
837 serviceAccount: secretgen-controller-sa
838---
839apiVersion: v1
840kind: ServiceAccount
841metadata:
842 name: secretgen-controller-sa
843 namespace: secretgen-controller
844---
845apiVersion: rbac.authorization.k8s.io/v1
846kind: ClusterRole
847metadata:
848 name: secretgen-controller-cluster-role
849rules:
850- apiGroups:
851 - secretgen.k14s.io
852 resources:
853 - '*'
854 verbs:
855 - '*'
856- apiGroups:
857 - secretgen.carvel.dev
858 resources:
859 - '*'
860 verbs:
861 - '*'
862- apiGroups:
863 - ""
864 resources:
865 - secrets
866 verbs:
867 - '*'
868- apiGroups:
869 - ""
870 resources:
871 - namespaces
872 verbs:
873 - list
874 - watch
875 - get
876- apiGroups:
877 - ""
878 resources:
879 - serviceaccounts
880 verbs:
881 - list
882 - watch
883 - get
884- apiGroups:
885 - ""
886 resources:
887 - serviceaccounts/token
888 verbs:
889 - create
890---
891apiVersion: rbac.authorization.k8s.io/v1
892kind: ClusterRoleBinding
893metadata:
894 name: secretgen-controller-cluster-role-binding
895roleRef:
896 apiGroup: rbac.authorization.k8s.io
897 kind: ClusterRole
898 name: secretgen-controller-cluster-role
899subjects:
900- kind: ServiceAccount
901 name: secretgen-controller-sa
902 namespace: secretgen-controller