mirror of
https://github.com/kubernetes-sigs/node-feature-discovery.git
synced 2024-12-15 17:50:49 +00:00
Merge pull request #1534 from marquiz/devel/kustomize-cleanup
deployment/kustomize: drop the sample cert-manager overlay
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
64eba874db
9 changed files with 2 additions and 181 deletions
|
|
@ -1,9 +0,0 @@
|
|||
- op: add
|
||||
path: /spec/template/spec/containers/0/args/-
|
||||
value: "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/args/-
|
||||
value: "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/args/-
|
||||
value: "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
|
||||
# - Create a self signed issuer
|
||||
# - Use this to create a CA cert
|
||||
# - Use this to now create a CA issuer
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: nfd-ca-bootstrap
|
||||
namespace: node-feature-discovery
|
||||
spec:
|
||||
selfSigned: {}
|
||||
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: nfd-ca-cert
|
||||
namespace: node-feature-discovery
|
||||
spec:
|
||||
isCA: true
|
||||
secretName: nfd-ca-cert
|
||||
subject:
|
||||
organizations:
|
||||
- node-feature-discovery
|
||||
commonName: nfd-ca-cert
|
||||
issuerRef:
|
||||
name: nfd-ca-bootstrap
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
||||
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: nfd-ca-issuer
|
||||
namespace: node-feature-discovery
|
||||
spec:
|
||||
ca:
|
||||
secretName: nfd-ca-cert
|
||||
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: node-feature-discovery
|
||||
|
||||
resources:
|
||||
- ../../default
|
||||
- issuer.yaml
|
||||
- master-cert.yaml
|
||||
- workers-cert.yaml
|
||||
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
|
||||
patches:
|
||||
- path: args.yaml
|
||||
target:
|
||||
labelSelector: app=nfd
|
||||
name: nfd.*
|
||||
- path: master-mounts.yaml
|
||||
target:
|
||||
labelSelector: app=nfd
|
||||
name: nfd-master
|
||||
- path: worker-mounts.yaml
|
||||
target:
|
||||
labelSelector: app=nfd
|
||||
name: nfd-worker
|
||||
- path: probes.yaml
|
||||
target:
|
||||
labelSelector: app=nfd
|
||||
name: nfd-master
|
||||
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: nfd-master-cert
|
||||
namespace: node-feature-discovery
|
||||
spec:
|
||||
secretName: nfd-master-cert
|
||||
subject:
|
||||
organizations:
|
||||
- node-feature-discovery
|
||||
commonName: nfd-master
|
||||
dnsNames:
|
||||
- nfd-master.node-feature-discovery.svc
|
||||
- nfd-master.node-feature-discovery.svc.cluster.local
|
||||
- nfd-master
|
||||
issuerRef:
|
||||
name: nfd-ca-issuer
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
- op: add
|
||||
path: /spec/template/spec/volumes/-
|
||||
value:
|
||||
name: nfd-master-cert
|
||||
secret:
|
||||
secretName: nfd-master-cert
|
||||
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/volumeMounts/-
|
||||
value:
|
||||
name: nfd-master-cert
|
||||
mountPath: /etc/kubernetes/node-feature-discovery/certs
|
||||
readOnly: true
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
- op: add
|
||||
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
|
||||
value: "-tls"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
|
||||
value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
|
||||
value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/livenessProbe/exec/command/-
|
||||
value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
|
||||
value: "-tls"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
|
||||
value: "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
|
||||
value: "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/readinessProbe/exec/command/-
|
||||
value: "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
|
||||
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
- op: add
|
||||
path: /spec/template/spec/volumes/-
|
||||
value:
|
||||
name: nfd-worker-cert
|
||||
secret:
|
||||
secretName: nfd-worker-cert
|
||||
|
||||
- op: add
|
||||
path: /spec/template/spec/containers/0/volumeMounts/-
|
||||
value:
|
||||
name: nfd-worker-cert
|
||||
mountPath: /etc/kubernetes/node-feature-discovery/certs
|
||||
readOnly: true
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: nfd-workers-cert
|
||||
namespace: node-feature-discovery
|
||||
spec:
|
||||
secretName: nfd-worker-cert
|
||||
subject:
|
||||
organizations:
|
||||
- node-feature-discovery
|
||||
commonName: nfd-worker
|
||||
dnsNames:
|
||||
- nfd-worker.node-feature-discovery.svc.cluster.local
|
||||
issuerRef:
|
||||
name: nfd-ca-issuer
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
||||
|
|
@ -36,9 +36,7 @@ the nfd-worker has been signed by the specified root certificate (-ca-file).
|
|||
Additional hardening can be enabled by specifying `-verify-node-name` in
|
||||
nfd-master args, in which case nfd-master verifies that the NodeName presented
|
||||
by nfd-worker matches the Common Name (CN) or a Subject Alternative Name (SAN)
|
||||
of its certificate. Note that `-verify-node-name` complicates certificate
|
||||
management and is not yet supported in the helm or kustomize deployment
|
||||
methods.
|
||||
of its certificate.
|
||||
|
||||
## Automated TLS certificate management using cert-manager
|
||||
|
||||
|
|
@ -58,14 +56,7 @@ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/
|
|||
Alternatively, you can refer to cert-manager documentation for other
|
||||
installation methods such as the Helm chart they provide.
|
||||
|
||||
To use the kustomize overlay to install node-feature-discovery with TLS enabled,
|
||||
you may use the following:
|
||||
|
||||
```bash
|
||||
kubectl apply -k deployment/overlays/samples/cert-manager
|
||||
```
|
||||
|
||||
To make use of the helm chart, override `values.yaml` to enable both the
|
||||
When using the Helm chart to deploy NFD, override `values.yaml` to enable both the
|
||||
`tls.enabled` and `tls.certManager` options. Note that if you do not enable
|
||||
`tls.certManager`, helm will successfully install the application, but
|
||||
deployment will wait until certificates are manually created, as demonstrated
|
||||
|
|
|
|||
Loading…
Reference in a new issue