Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
This will ease mirroring capabilities for the docker official images.
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I0f9177b0b83e4fad599ae0c3f3820202bf1d450d
The default value of the kubernetes keystone authorization webhook is
grossly outdated (v0.2). This patch set brings the default up to the
latest of this patch set (v1.19).
Change-Id: Idbf8d027ad6d5f4fb8bdedaf3047c06c66eef27d
Signed-off-by: Tin Lam <tin@irrational.io>
This implements security context override at pod level and adds
readOnly-fs to keystone-webhook container
Change-Id: Ia67947b7323e41363a5ee379c0dfb001936b5107
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH.
This should fix it.
Change-Id: Ic00bd98c151669dc2485cd88e0e8c2ab05445959
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.
Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
This adds the security context to the
kubernetes-keystone-webhook. This changes the default
user from root to the nobody user.
This also adds the container security context to
explicitly set allowPrivilegeEscalation to false
Change-Id: I54621e94f2866a4b4301baa6b570472c5fcda291
This commit adds roles to kubernetes-keystone-webook policy
which has permissions similar to clusterrols cluster-admin,
edit and view present in kubernetes.
Check.sh script is also modified to test and verify the new
roles.
Change-Id: I43621d2e1036259064c805d97b340589a5b68c93
This patch set updates the default docker image to use the official
k8scloudprovider image for the kubernetes-keystone-webhook.
Change-Id: Ib9cc3efaf63569e20d07fa9b3ad9f45b49ab7cc9
Signed-off-by: Tin Lam <tin@irrational.io>
This PS updates the keysteone endpoints section used in the
webhook authenticator and the prometheus exporter.
Depends-On: https://review.openstack.org/#/c/588651
Change-Id: Ia2df0ec1b783705f7e2ac164a8729d61962e2bc8
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds the ability to deploy the Keystone Kubernetes Webhook
chart via kubeadm-aio
Change-Id: I18b0477a775de942f940e9c0984559089dca1cdb
Co-Authored-By: Tin Lam <tin@irrational.io>
Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Signed-off-by: Pete Birley <pete@port.direct>
This patch set adds a kubernetes keystone webhook authorizer chart to
OpenStack-Helm-Infra.
Change-Id: I16136f4ac2a787e8bcf90eb0675294300ac088f0
Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
