skipper: update hostname-credentials-controller

The logic previously implemented by secret-combiner was moved into hostname-credentials-controller. Signed-off-by: Alexander Yastrebov <[email protected]>
zalando-incubator · Mar 4, 2024 · 7755b14 · 7755b14
1 parent 9557cae
commit 7755b14
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 100 deletions.
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -4,6 +4,20 @@ pre_apply:
   namespace: kube-system
   kind: Deployment
 
+# TODO: remove after rollout
+- kind: CronJob
+  name: secret-combiner
+  namespace: kube-system
+- kind: RoleBinding
+  name: secret-combiner
+  namespace: kube-system
+- kind: Role
+  name: secret-combiner
+  namespace: kube-system
+- kind: ServiceAccount
+  name: secret-combiner
+  namespace: kube-system
+
 # everything defined under here will be deleted after applying the manifests
 post_apply:
 - name: cronjob-monitor

diff --git a/cluster/manifests/skipper/hostname-credentials-controller.yaml b/cluster/manifests/skipper/hostname-credentials-controller.yaml
@@ -1,5 +1,5 @@
 # {{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
-# {{ $version := "main-11" }}
+# {{ $version := "main-12" }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -56,6 +56,42 @@ subjects:
     name: hostname-credentials-controller
     namespace: kube-system
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: hostname-credentials-controller
+  namespace: kube-system
+  labels:
+    application: skipper-ingress
+    component: hostname-credentials
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: hostname-credentials-controller
+  namespace: kube-system
+  labels:
+    application: skipper-ingress
+    component: hostname-credentials
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hostname-credentials-controller
+subjects:
+  - kind: ServiceAccount
+    name: hostname-credentials-controller
+    namespace: kube-system
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -91,10 +127,12 @@ spec:
               args:
                 - -ingress-selector=application
                 - -credentials-namespace=kube-system
-                - -credentials-name-template={hostname}-grant-credentials
+                - -credentials-name-template={host}-grant-credentials
                 - -credentials-selector=application=skipper-ingress,component=hostname-credentials
                 - -credentials-labels=application=skipper-ingress,component=hostname-credentials
                 - -credentials-redirect-uri-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }}
+                - -combined-secret-name=hostname-credentials
+                - -combined-secret-labels=application=skipper-ingress,component=hostname-credentials-combined
               resources:
                 limits:
                   cpu: 10m

diff --git a/cluster/manifests/skipper/secret-combiner.yaml b/cluster/manifests/skipper/secret-combiner.yaml