manifest updates #1077
manifest updates #1077
Conversation
Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
|
cc: @abhishek44sharma @BulldromeQ because there are some helm charts changes, especially around binding secrets to service account. I ran tests, all passing : I'll annotate my changes and merge momentarily. Feel free to let me know if you see anything fishy. |
| > **Türkçe Konuşanlar İçin:** | ||
| > | ||
| > Özgür yazılım birlikte olunca güzel 🤗. | ||
| > | ||
| > Eğer **VMware Secrets Manager** ile ilgili bir sorun varsa, projeye | ||
| > katkıda bulunmak istiyorsan veya başka bir konuda yardıma ihtiyacın varsa, | ||
| > dil engeli olmadan bize ulaşabilirsin. | ||
| > | ||
| > [Kampus Discord Sunucusu'nda **VMware Secrets Manager** kanalında][kampus] | ||
| > buluşalım ve birlikte dünyayı daha güvenli hale getirelim 🤘. |
There was a problem hiding this comment.
This one is for the Turkish developer community.
There is an unofficial discord channel on a discord server where we discuss VSecM in Turkish.
| @@ -28,7 +28,7 @@ spec: | |||
| serviceAccountName: example | |||
| containers: | |||
| - name: main | |||
| image: vsecm/example-multiple-secrets:0.26.2 | |||
| image: vsecm/example-multiple-secrets:latest | |||
There was a problem hiding this comment.
Pinning version was causing issues in quickstart tutorials.
This would be easier to manage.
There was a problem hiding this comment.
We are setting :latest only for things under the examples folder.
The rest of the apps still have whatever the future version under development is.
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["get", "list", "watch"] | ||
| resourceNames: ["vsecm-sentinel-init-secret"] |
There was a problem hiding this comment.
After defining the service account to explicitly list the secrets it allows to mount, we needed to create a role and rolebinding to support that.
This is a couple of extra annotations, but better security too.
| @@ -17,6 +17,8 @@ metadata: | |||
| labels: | |||
| {{- include "sentinel.labels" . | nindent 4 }} | |||
| app.kubernetes.io/operated-by: vsecm | |||
| annotations: | |||
| kubernetes.io/service-account.name: {{ include "sentinel.serviceAccountName" . }} | |||
There was a problem hiding this comment.
The secret explicitly specifies which ServiceAccount it is managed by.
Again, tighter security.
| @@ -95,6 +97,8 @@ metadata: | |||
| kubernetes.io/enforce-mountable-secrets: "true" | |||
| kubernetes.io/mountable-secrets: vsecm-sentinel-init-secret | |||
| automountServiceAccountToken: false | |||
| secrets: | |||
| - name: vsecm-sentinel-init-secret | |||
There was a problem hiding this comment.
It feels like repetitive since the above annotation already has the secret's name; but without it I get errors and the statefulset did not initialize — so I'm adding it nonetheless.
Also k8s docs say it's a good practice to be explicit about these kinds of secrets.
documentation updates and also setting version to
:latestin some example manifests to make following quickstart tutorials easier.