github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/charts/security/templates/cleanup-secrets.yaml (about) 1 # The reason for creating a ServiceAccount and ClusterRole specifically for this 2 # post-delete hooked job is because the citadel ServiceAccount is being deleted 3 # before this hook is launched. On the other hand, running this hook before the 4 # deletion of the citadel (e.g. pre-delete) won't delete the secrets because they 5 # will be re-created immediately by the to-be-deleted citadel. 6 # 7 # It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding 8 # will be ready before running the hooked Job therefore the hook weights. 9 10 apiVersion: v1 11 kind: ServiceAccount 12 metadata: 13 name: istio-cleanup-secrets-service-account 14 namespace: {{ .Release.Namespace }} 15 annotations: 16 "helm.sh/hook": post-delete 17 "helm.sh/hook-delete-policy": hook-succeeded 18 "helm.sh/hook-weight": "1" 19 labels: 20 app: {{ template "security.name" . }} 21 chart: {{ .Chart.Name }}-{{ .Chart.Version }} 22 heritage: {{ .Release.Service }} 23 release: {{ .Release.Name }} 24 --- 25 apiVersion: rbac.authorization.k8s.io/v1beta1 26 kind: ClusterRole 27 metadata: 28 name: istio-cleanup-secrets-{{ .Release.Namespace }} 29 annotations: 30 "helm.sh/hook": post-delete 31 "helm.sh/hook-delete-policy": hook-succeeded 32 "helm.sh/hook-weight": "1" 33 labels: 34 app: {{ template "security.name" . }} 35 chart: {{ .Chart.Name }}-{{ .Chart.Version }} 36 heritage: {{ .Release.Service }} 37 release: {{ .Release.Name }} 38 rules: 39 - apiGroups: [""] 40 resources: ["secrets"] 41 verbs: ["list", "delete"] 42 --- 43 apiVersion: rbac.authorization.k8s.io/v1beta1 44 kind: ClusterRoleBinding 45 metadata: 46 name: istio-cleanup-secrets-{{ .Release.Namespace }} 47 annotations: 48 "helm.sh/hook": post-delete 49 "helm.sh/hook-delete-policy": hook-succeeded 50 "helm.sh/hook-weight": "2" 51 labels: 52 app: {{ template "security.name" . }} 53 chart: {{ .Chart.Name }}-{{ .Chart.Version }} 54 heritage: {{ .Release.Service }} 55 release: {{ .Release.Name }} 56 roleRef: 57 apiGroup: rbac.authorization.k8s.io 58 kind: ClusterRole 59 name: istio-cleanup-secrets-{{ .Release.Namespace }} 60 subjects: 61 - kind: ServiceAccount 62 name: istio-cleanup-secrets-service-account 63 namespace: {{ .Release.Namespace }} 64 --- 65 apiVersion: batch/v1 66 kind: Job 67 metadata: 68 name: istio-cleanup-secrets 69 namespace: {{ .Release.Namespace }} 70 annotations: 71 "helm.sh/hook": post-delete 72 "helm.sh/hook-delete-policy": hook-succeeded 73 "helm.sh/hook-weight": "3" 74 labels: 75 app: {{ template "security.name" . }} 76 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 77 release: {{ .Release.Name }} 78 heritage: {{ .Release.Service }} 79 spec: 80 template: 81 metadata: 82 name: istio-cleanup-secrets 83 labels: 84 app: {{ template "security.name" . }} 85 release: {{ .Release.Name }} 86 spec: 87 serviceAccountName: istio-cleanup-secrets-service-account 88 containers: 89 - name: hyperkube 90 image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" 91 command: 92 - /bin/bash 93 - -c 94 - > 95 kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do 96 ns=$(echo $entry | awk '{print $1}'); 97 name=$(echo $entry | awk '{print $2}'); 98 kubectl delete secret $name -n $ns; 99 done 100 restartPolicy: OnFailure