diff --git a/class/defaults.yml b/class/defaults.yml index 1011cd4..b425bfe 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -23,6 +23,8 @@ parameters: kustomize_input: namespace: ${emergency_credentials_controller:namespace} + controller_deployment_patch: {} + cluster_admin_role: cluster-admin emergency_accounts: {} diff --git a/component/emergency-credentials-controller.jsonnet b/component/emergency-credentials-controller.jsonnet index 6f31e84..b186e49 100644 --- a/component/emergency-credentials-controller.jsonnet +++ b/component/emergency-credentials-controller.jsonnet @@ -27,6 +27,15 @@ local removeUpstreamAlerts = { }, }; +local deploymentPatch = { + apiVersion: 'apps/v1', + kind: 'Deployment', + metadata: { + name: 'controller-manager', + namespace: upstreamNamespace, + }, +} + com.makeMergeable(params.controller_deployment_patch); + local patch = function(p) { patch: std.manifestJsonMinified(p), }; @@ -50,6 +59,7 @@ com.Kustomization( patches+: [ patch(removeUpstreamNamespace), patch(removeUpstreamAlerts), + patch(deploymentPatch), ], labels+: [ { diff --git a/tests/defaults.yml b/tests/defaults.yml index 0c374f1..078ff4d 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -20,3 +20,13 @@ parameters: _tokenStores: ext-s3: type: s3 + + controller_deployment_patch: + spec: + template: + spec: + containers: + - name: manager + env: + - name: MY_ENV + value: test diff --git a/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/apps_v1_deployment_emergency-credentials-controller-controller-manager.yaml b/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/apps_v1_deployment_emergency-credentials-controller-controller-manager.yaml index 7256365..a3889cd 100644 --- a/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/apps_v1_deployment_emergency-credentials-controller-controller-manager.yaml +++ b/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/apps_v1_deployment_emergency-credentials-controller-controller-manager.yaml @@ -40,35 +40,14 @@ spec: values: - linux containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --namespace=$(POD_NAMESPACE) env: + - name: MY_ENV + value: test - name: POD_NAMESPACE valueFrom: fieldRef: @@ -99,6 +78,29 @@ spec: capabilities: drop: - ALL + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true seccompProfile: