github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/charts/security/templates/create-custom-resources-job.yaml (about)

     1  apiVersion: v1
     2  kind: ServiceAccount
     3  metadata:
     4    name: istio-security-post-install-account
     5    namespace: {{ .Release.Namespace }}
     6    labels:
     7      app: istio-security
     8      chart: {{ .Chart.Name }}-{{ .Chart.Version }}
     9      heritage: {{ .Release.Service }}
    10      release: {{ .Release.Name }}
    11  ---
    12  apiVersion: rbac.authorization.k8s.io/v1beta1
    13  kind: ClusterRole
    14  metadata:
    15    name: istio-security-post-install-{{ .Release.Namespace }}
    16    labels:
    17      app: istio-security
    18      chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    19      heritage: {{ .Release.Service }}
    20      release: {{ .Release.Name }}
    21  rules:
    22  - apiGroups: ["authentication.istio.io"] # needed to create default authn policy
    23    resources: ["*"]
    24    verbs: ["*"]
    25  - apiGroups: ["networking.istio.io"] # needed to create security destination rules
    26    resources: ["*"]
    27    verbs: ["*"]
    28  - apiGroups: ["admissionregistration.k8s.io"]
    29    resources: ["validatingwebhookconfigurations"]
    30    verbs: ["get"]
    31  - apiGroups: ["extensions"]
    32    resources: ["deployments", "replicasets"]
    33    verbs: ["get", "list", "watch"]
    34  ---
    35  apiVersion: rbac.authorization.k8s.io/v1beta1
    36  kind: ClusterRoleBinding
    37  metadata:
    38    name: istio-security-post-install-role-binding-{{ .Release.Namespace }}
    39    labels:
    40      app: istio-security
    41      chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    42      heritage: {{ .Release.Service }}
    43      release: {{ .Release.Name }}
    44  roleRef:
    45    apiGroup: rbac.authorization.k8s.io
    46    kind: ClusterRole
    47    name: istio-security-post-install-{{ .Release.Namespace }}
    48  subjects:
    49    - kind: ServiceAccount
    50      name: istio-security-post-install-account
    51      namespace: {{ .Release.Namespace }}
    52  ---
    53  
    54  apiVersion: batch/v1
    55  kind: Job
    56  metadata:
    57    name: istio-security-post-install
    58    namespace: {{ .Release.Namespace }}
    59    annotations:
    60      "helm.sh/hook": post-install
    61      "helm.sh/hook-delete-policy": hook-succeeded
    62    labels:
    63      app: istio-security
    64      chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
    65      release: {{ .Release.Name }}
    66      heritage: {{ .Release.Service }}
    67  spec:
    68    template:
    69      metadata:
    70        name: istio-security-post-install
    71        labels:
    72          app: istio-security
    73          release: {{ .Release.Name }}
    74      spec:
    75        serviceAccountName: istio-security-post-install-account
    76        containers:
    77          - name: hyperkube
    78            image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}"
    79            command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
    80            volumeMounts:
    81              - mountPath: "/tmp/security"
    82                name: tmp-configmap-security
    83        volumes:
    84          - name: tmp-configmap-security
    85            configMap:
    86              name: istio-security-custom-resources
    87        restartPolicy: OnFailure