diff --git a/charts/gardener-extension-admission-aws/charts/runtime/templates/deployment.yaml b/charts/gardener-extension-admission-aws/charts/runtime/templates/deployment.yaml index 2ff52349a..03924e5cd 100644 --- a/charts/gardener-extension-admission-aws/charts/runtime/templates/deployment.yaml +++ b/charts/gardener-extension-admission-aws/charts/runtime/templates/deployment.yaml @@ -49,6 +49,9 @@ spec: {{- if .Values.global.kubeconfig }} - --kubeconfig=/etc/gardener-extension-admission-aws/kubeconfig/kubeconfig {{- end }} + {{- if .Values.global.projectedKubeconfig }} + - --kubeconfig={{ required ".Values.global.projectedKubeconfig.baseMountPath is required" .Values.global.projectedKubeconfig.baseMountPath }}/kubeconfig + {{- end }} {{- if .Values.global.metricsPort }} - --metrics-bind-address=:{{ .Values.global.metricsPort }} {{- end }} @@ -87,6 +90,11 @@ spec: mountPath: /var/run/secrets/projected/serviceaccount readOnly: true {{- end }} + {{- if .Values.global.projectedKubeconfig }} + - name: kubeconfig + mountPath: {{ required ".Values.global.projectedKubeconfig.baseMountPath is required" .Values.global.projectedKubeconfig.baseMountPath }} + readOnly: true + {{- end }} volumes: - name: gardener-extension-admission-aws-cert secret: @@ -109,3 +117,21 @@ spec: audience: {{ .Values.global.serviceAccountTokenVolumeProjection.audience }} {{- end }} {{- end }} + {{- if .Values.global.projectedKubeconfig }} + - name: kubeconfig + projected: + defaultMode: 420 + sources: + - secret: + items: + - key: kubeconfig + path: kubeconfig + name: {{ required ".Values.global.projectedKubeconfig.genericKubeconfigSecretName is required" .Values.global.projectedKubeconfig.genericKubeconfigSecretName }} + optional: false + - secret: + items: + - key: token + path: token + name: {{ required ".Values.global.projectedKubeconfig.tokenSecretName is required" .Values.global.projectedKubeconfig.tokenSecretName }} + optional: false + {{- end }} diff --git a/charts/gardener-extension-admission-aws/values.yaml b/charts/gardener-extension-admission-aws/values.yaml index e7e43509c..661e0c3a8 100644 --- a/charts/gardener-extension-admission-aws/values.yaml +++ b/charts/gardener-extension-admission-aws/values.yaml @@ -38,6 +38,11 @@ global: # Kubeconfig to the target cluster. In-cluster configuration will be used if not specified. kubeconfig: +# projectedKubeconfig: +# baseMountPath: /var/run/secrets/gardener.cloud +# genericKubeconfigSecretName: generic-token-kubeconfig +# tokenSecretName: access-aws-admission + serviceAccountTokenVolumeProjection: enabled: false expirationSeconds: 43200