Last active
December 18, 2023 06:15
-
-
Save mlbiam/c22f982da9c4164a4ee1aa4c1dd9a664 to your computer and use it in GitHub Desktop.
vcluster-blog
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| network: | |
| openunison_host: "k8sou.apps.212.2.242.251.nip.io" | |
| dashboard_host: "k8sdb.apps.212.2.242.251.nip.io" | |
| api_server_host: "k8sapi.apps.212.2.242.251.nip.io" | |
| session_inactivity_timeout_seconds: 900 | |
| k8s_url: https://0.0.0.0:6443 | |
| force_redirect_to_tls: true | |
| createIngressCertificate: true | |
| ingress_type: nginx | |
| ingress_annotations: | |
| kubernetes.io/ingress.class: nginx | |
| cert_template: | |
| ou: "Kubernetes" | |
| o: "MyOrg" | |
| l: "My Cluster" | |
| st: "State of Cluster" | |
| c: "MyCountry" | |
| image: docker.io/tremolosecurity/openunison-k8s:latest | |
| myvd_config_path: "WEB-INF/myvd.conf" | |
| k8s_cluster_name: vcluster-control-plane | |
| enable_impersonation: true | |
| impersonation: | |
| use_jetstack: true | |
| jetstack_oidc_proxy_image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
| explicit_certificate_trust: true | |
| dashboard: | |
| namespace: "kubernetes-dashboard" | |
| cert_name: "kubernetes-dashboard-certs" | |
| label: "k8s-app=kubernetes-dashboard" | |
| service_name: kubernetes-dashboard | |
| certs: | |
| use_k8s_cm: false | |
| trusted_certs: | |
| - name: ldaps | |
| pem_b64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lFR2owUUZ6QU5CZ2txaGtpRzl3MEJBUXNGQURCdE1Rd3dDZ1lEVlFRR0V3TmsKWlhZeEREQUtCZ05WQkFnVEEyUmxkakVNTUFvR0ExVUVCeE1EWkdWMk1Rd3dDZ1lEVlFRS0V3TmtaWFl4RERBSwpCZ05WQkFzVEEyUmxkakVsTUNNR0ExVUVBeE1jWVhCaFkyaGxaSE11WVdOMGFYWmxaR2x5WldOMGIzSjVMbk4yCll6QWdGdzB5TVRBM01EVXdNRFV6TWpoYUdBOHlNVEl4TURZeE1UQXdOVE15T0Zvd2JURU1NQW9HQTFVRUJoTUQKWkdWMk1Rd3dDZ1lEVlFRSUV3TmtaWFl4RERBS0JnTlZCQWNUQTJSbGRqRU1NQW9HQTFVRUNoTURaR1YyTVF3dwpDZ1lEVlFRTEV3TmtaWFl4SlRBakJnTlZCQU1USEdGd1lXTm9aV1J6TG1GamRHbDJaV1JwY21WamRHOXllUzV6CmRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDNlNVQUJRSUZkYnRwZGJ3WEEKT05ablJVQlFBMEVyK2hWYmkxUHNWSnNaaUlGZjhJRC8xZXBPN0M4QlViVXN1U3dWWkc5ZEJIV3o0RFBwWUUrKwp2dmxrTEs1cEdiTnJQbDdFd241clJLRE5PeVR5ZUNBcFMzSVNsRW1iaVNQUjBuYXd5ckpoNjhQQ0I1bURSNTNmCmh1bFhPQ0dTd3ZNN2RwM2RPc3lFQmRlVkw3aTFnbkJNYi9wN05YdTN5WmlWaDlpS3pqaENrZndqL0VsNTZaUHEKYmsvOGtQN0xBdTFvZGJWTkZGSUx5clB6SFBFU3I3N0preHcvKytPTmhtblA2UFBiU3FtRm0rcUVEYWhQanBFZgpscUdaY3BsOEZ0VXBzTG5JK3B4blI5eWU5ZUNpVDVuaDhlTEhobkVFNzFpVE1rb2xrSHdxSm5xV1R3ZlF2b1g5CkM2SERBZ01CQUFHaklUQWZNQjBHQTFVZERnUVdCQlRjOGlDU055NnhSM2M5OU1aYkZUODgzREs1V0RBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFOMEkwZnJDSzdYNGRHRmpGLzFpb3czUUwvbTcwemVIemlQVVFFUUdONXBFMwpyMlZZL0ZHWGdNV0tFSXpHa2hMZW5CUXRxRE5Pbm4vL1JjK0Y2anM1RkNOVXhaT2V4ekl2aElhY0M4YUhzRWpFClRnclI5OWNqUVdsdzFhSVF0YUhkSmVqYXdYcU50YU1FMSt4RlJBQTNCWUF1T3BveW9wQ0NoMXdJaTEvQk84TlQKVmFaancxQU8xd1ZUaTJ3SUtCSUp1Z0N2T0dYZEt3YzBuL0I4bzRRQkpScklRZEJnbzJVNjFBbkMxaWM4b0d3RwpxekN1V0dDenZjam9xNWFNcTliS0YyNHBQaDR3cWZMZnZGdWNsYmFIUlBiSmpxT3l0V3gzczhNV0lvRUNzdlhLCnhIYmJvSnU0c1AwLzRBMGQ4K25OOXI1MU8xalFaWHd0b3hwenFTV2ZlZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= | |
| monitoring: | |
| prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s | |
| network_policies: | |
| enabled: false | |
| ingress: | |
| enabled: true | |
| labels: | |
| app.kubernetes.io/name: ingress-nginx | |
| monitoring: | |
| enabled: true | |
| labels: | |
| app.kubernetes.io/name: monitoring | |
| apiserver: | |
| enabled: false | |
| labels: | |
| app.kubernetes.io/name: kube-system | |
| active_directory: | |
| base: DC=domain,DC=com | |
| host: "apacheds.activedirectory.svc" | |
| port: "10636" | |
| bind_dn: "cn=ou_svc_account,ou=Users,DC=domain,DC=com" | |
| con_type: ldaps | |
| srv_dns: "false" | |
| database: | |
| hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect | |
| quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate | |
| driver: com.mysql.jdbc.Driver | |
| url: jdbc:mysql://mariadb.mariadb.svc:3306/unison | |
| user: unison | |
| validation: SELECT 1 | |
| smtp: | |
| host: blackhole.blackhole.svc.cluster.local | |
| port: 1025 | |
| user: "none" | |
| from: donotreply@domain.com | |
| tls: false | |
| openunison: | |
| enable_provisioning: true | |
| use_standard_jit_workflow: false | |
| replicas: 1 | |
| non_secret_data: | |
| K8S_DB_SSO: oidc | |
| SHOW_PORTAL_ORGS: "true" | |
| VCLUSTER_DOMAIN_ROOT: "vclusters.212.2.242.251.nip.io" | |
| K8S_DEPLOYMENT_NAME: "vcluster Control Plane" | |
| secrets: [] | |
| html: | |
| image: docker.io/tremolosecurity/openunison-k8s-html:latest | |
| naas: | |
| workflows: | |
| new_namespace: | |
| post_namespace_create_workflow: check-for-vcluster | |
| groups: | |
| internal: | |
| enabled: true | |
| external: | |
| enabled: false | |
| forms: | |
| new_namespace: | |
| additional_attributes: | |
| - name: tenant_type | |
| displayName: Tenant Type | |
| regEx: ".*" | |
| regExFailedMsg: "Invalid option" | |
| minChars: 0 | |
| maxChars: 0 | |
| unique: false | |
| type: list | |
| values: | |
| Namespace: "namespace" | |
| vcluster: "vcluster" | |
| operator: | |
| image: docker.io/tremolosecurity/openunison-operator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: OUJob | |
| metadata: | |
| name: wait-for | |
| namespace: openunison | |
| spec: | |
| className: com.tremolosecurity.provisioning.jobs.WaitForJob | |
| cronSchedule: | |
| dayOfMonth: '*' | |
| dayOfWeek: '?' | |
| hours: '*' | |
| minutes: '*' | |
| month: '*' | |
| seconds: '*/10' | |
| year: '*' | |
| group: admin | |
| params: | |
| - name: target | |
| value: k8s | |
| - name: namespace | |
| value: openunison | |
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: Workflow | |
| metadata: | |
| name: check-for-vcluster | |
| namespace: openunison | |
| spec: | |
| description: checks for vcluster, and if requested creates it | |
| inList: false | |
| label: do nothing | |
| orgId: x | |
| tasks: |- | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| function init(task,params) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| Attribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| user.getAttribs().put("tenant_type",new Attribute("tenant_type",request.get("tenant_type").toString())); | |
| return true; | |
| } | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: pre-tenant-check | |
| - taskType: ifAttrHasValue | |
| name: tenant_type | |
| value: "vcluster" | |
| onSuccess: | |
| - taskType: callWorkflow | |
| name: vcluster-post-namespace-create | |
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: Workflow | |
| metadata: | |
| name: vcluster-post-namespace-create | |
| namespace: openunison | |
| spec: | |
| description: Create vCluster | |
| inList: false | |
| label: do nothing | |
| orgId: x | |
| tasks: |- | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.CreateK8sObject | |
| params: | |
| targetName: $cluster$ | |
| template: |- | |
| --- | |
| apiVersion: v1 | |
| kind: PersistentVolumeClaim | |
| metadata: | |
| name: vcluster-audit-logs | |
| namespace: $nameSpace$ | |
| spec: | |
| accessModes: | |
| - ReadWriteOnce | |
| resources: | |
| requests: | |
| storage: 1Gi | |
| kind: PersistentVolumeClaim | |
| url: /api/v1/namespaces/$nameSpace$/persistentvolumeclaims | |
| srcType: yaml | |
| writeToRequest: "$useGit$" | |
| requestAttribute: git-secret-cluster-k8s-$nameSpace$ | |
| path: /yaml/ns/$nameSpace$/persistentvolumeclaims/vcluster-audit-logs.yaml | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.CreateK8sObject | |
| params: | |
| targetName: $cluster$ | |
| template: |- | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: k8s-audit-policy | |
| namespace: $nameSpace$ | |
| data: | |
| k8s-audit-policy.yaml: "apiVersion: audit.k8s.io/v1\r\nkind: Policy\r\nrules:\r\n # The following requests were manually identified as high-volume and low-risk,\r\n # so drop them.\r\n - level: None\r\n users: [\"system:kube-proxy\"]\r\n verbs: [\"watch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"endpoints\", \"services\", \"services/status\"]\r\n - level: None\r\n # Ingress controller reads 'configmaps/ingress-uid' through the unsecured port.\r\n # TODO(#46983): Change this to the ingress controller service account.\r\n users: [\"system:unsecured\"]\r\n namespaces: [\"kube-system\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"configmaps\"]\r\n - level: None\r\n users: [\"kubelet\"] # legacy kubelet identity\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes\", \"nodes/status\"]\r\n - level: None\r\n userGroups: [\"system:nodes\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes\", \"nodes/status\"]\r\n - level: None\r\n users:\r\n - system:kube-controller-manager\r\n - system:kube-scheduler\r\n - system:serviceaccount:kube-system:endpoint-controller\r\n verbs: [\"get\", \"update\"]\r\n namespaces: [\"kube-system\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"endpoints\"]\r\n - level: None\r\n users: [\"system:apiserver\"]\r\n verbs: [\"get\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"namespaces\", \"namespaces/status\", \"namespaces/finalize\"]\r\n - level: None\r\n users: [\"cluster-autoscaler\"]\r\n verbs: [\"get\", \"update\"]\r\n namespaces: [\"kube-system\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"configmaps\", \"endpoints\"]\r\n # Don't log HPA fetching metrics.\r\n - level: None\r\n users:\r\n - system:kube-controller-manager\r\n verbs: [\"get\", \"list\"]\r\n resources:\r\n - group: \"metrics.k8s.io\"\r\n\r\n # Don't log these read-only URLs.\r\n - level: None\r\n nonResourceURLs:\r\n - /healthz*\r\n - /version\r\n - /swagger*\r\n\r\n # Don't log events requests.\r\n - level: None\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"events\"]\r\n\r\n # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes\r\n - level: Request\r\n users: [\"kubelet\", \"system:node-problem-detector\", \"system:serviceaccount:kube-system:node-problem-detector\"]\r\n verbs: [\"update\",\"patch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes/status\", \"pods/status\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n - level: Request\r\n userGroups: [\"system:nodes\"]\r\n verbs: [\"update\",\"patch\"]\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"nodes/status\", \"pods/status\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n\r\n # deletecollection calls can be large, don't log responses for expected namespace deletions\r\n - level: Request\r\n users: [\"system:serviceaccount:kube-system:namespace-controller\"]\r\n verbs: [\"deletecollection\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n\r\n # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,\r\n # so only log at the Metadata level.\r\n - level: Metadata\r\n resources:\r\n - group: \"\" # core\r\n resources: [\"secrets\", \"configmaps\"]\r\n - group: authentication.k8s.io\r\n resources: [\"tokenreviews\"]\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Get repsonses can be large; skip them.\r\n - level: Request\r\n verbs: [\"get\", \"list\", \"watch\"]\r\n resources:\r\n - group: \"\" # core\r\n - group: \"admissionregistration.k8s.io\"\r\n - group: \"apiextensions.k8s.io\"\r\n - group: \"apiregistration.k8s.io\"\r\n - group: \"apps\"\r\n - group: \"authentication.k8s.io\"\r\n - group: \"authorization.k8s.io\"\r\n - group: \"autoscaling\"\r\n - group: \"batch\"\r\n - group: \"certificates.k8s.io\"\r\n - group: \"extensions\"\r\n - group: \"metrics.k8s.io\"\r\n - group: \"networking.k8s.io\"\r\n - group: \"node.k8s.io\"\r\n - group: \"policy\"\r\n - group: \"rbac.authorization.k8s.io\"\r\n - group: \"scheduling.k8s.io\"\r\n - group: \"settings.k8s.io\"\r\n - group: \"storage.k8s.io\"\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Default level for known APIs\r\n - level: RequestResponse\r\n resources:\r\n - group: \"\" # core\r\n - group: \"admissionregistration.k8s.io\"\r\n - group: \"apiextensions.k8s.io\"\r\n - group: \"apiregistration.k8s.io\"\r\n - group: \"apps\"\r\n - group: \"authentication.k8s.io\"\r\n - group: \"authorization.k8s.io\"\r\n - group: \"autoscaling\"\r\n - group: \"batch\"\r\n - group: \"certificates.k8s.io\"\r\n - group: \"extensions\"\r\n - group: \"metrics.k8s.io\"\r\n - group: \"networking.k8s.io\"\r\n - group: \"node.k8s.io\"\r\n - group: \"policy\"\r\n - group: \"rbac.authorization.k8s.io\"\r\n - group: \"scheduling.k8s.io\"\r\n - group: \"settings.k8s.io\"\r\n - group: \"storage.k8s.io\"\r\n omitStages:\r\n - \"RequestReceived\"\r\n # Default level for all other requests.\r\n - level: Metadata\r\n omitStages:\r\n - \"RequestReceived\"\r\n" | |
| kind: ConfigMap | |
| url: /api/v1/namespaces/$nameSpace$/configmaps | |
| srcType: yaml | |
| writeToRequest: "$useGit$" | |
| requestAttribute: git-secret-cluster-k8s-$nameSpace$ | |
| path: /yaml/ns/$nameSpace$/configmaps/k8s-audit-policy.yaml | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.CreateK8sObject | |
| params: | |
| targetName: $cluster$ | |
| template: |- | |
| apiVersion: cluster.x-k8s.io/v1beta1 | |
| kind: Cluster | |
| metadata: | |
| name: vcluster | |
| namespace: $nameSpace$ | |
| spec: | |
| controlPlaneRef: | |
| apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 | |
| kind: VCluster | |
| name: vcluster | |
| infrastructureRef: | |
| apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 | |
| kind: VCluster | |
| name: vcluster | |
| kind: Cluster | |
| url: /apis/cluster.x-k8s.io/v1beta1/namespaces/$nameSpace$/clusters | |
| srcType: yaml | |
| writeToRequest: "$useGit$" | |
| requestAttribute: git-secret-cluster-k8s-$nameSpace$ | |
| path: /yaml/ns/$nameSpace$/clusters/vcluster.yaml | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.CreateK8sObject | |
| params: | |
| targetName: $cluster$ | |
| template: |- | |
| --- | |
| apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 | |
| kind: VCluster | |
| metadata: | |
| name: vcluster | |
| namespace: $nameSpace$ | |
| spec: | |
| controlPlaneEndpoint: | |
| host: "" | |
| port: 0 | |
| helmRelease: | |
| chart: | |
| name: null | |
| repo: null | |
| version: null | |
| values: |- | |
| #sync: | |
| # nodes: | |
| # enabled: true | |
| volumes: | |
| - name: audit-policy-volume | |
| configMap: | |
| name: k8s-audit-policy | |
| - name: audit-log-data | |
| persistentVolumeClaim: | |
| claimName: vcluster-audit-logs | |
| vcluster: | |
| volumeMounts: | |
| # keep data volume mount! | |
| - mountPath: /data | |
| name: data | |
| - mountPath: /var/lib/rancher/k3s/server/log-config | |
| name: audit-policy-volume | |
| - mountPath: /var/lib/rancher/k3s/server/logs | |
| name: audit-log-data | |
| extraArgs: | |
| - "--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'" | |
| - "--kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/log-config/k8s-audit-policy.yaml'" | |
| kubernetesVersion: 1.23.0 | |
| kind: VCluster | |
| url: /apis/infrastructure.cluster.x-k8s.io/v1alpha1/namespaces/$nameSpace$/vclusters | |
| srcType: yaml | |
| writeToRequest: "$useGit$" | |
| requestAttribute: git-secret-cluster-k8s-$nameSpace$ | |
| path: /yaml/ns/$nameSpace$/vclusters/vcluster.yaml | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.CreateK8sObject | |
| params: | |
| targetName: $cluster$ | |
| template: |- | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: helm-values-$WORKFLOW_ID$-$nameSpace$-yaml | |
| namespace: openunison | |
| data: | |
| values.yaml: |- | |
| vcluster: | |
| label: vcluster-$nameSpace$ | |
| name: vcluster | |
| namespace: $nameSpace$ | |
| api_server_host: k8sapi.$nameSpace$.#[VCLUSTER_DOMAIN_ROOT] | |
| dashboard_host: k8sdb.$nameSpace$.#[VCLUSTER_DOMAIN_ROOT] | |
| openunison_host: k8sou.$nameSpace$.#[VCLUSTER_DOMAIN_ROOT] | |
| createIngressCertificate: true | |
| ingress_annotations: {} | |
| az_groups: | |
| - k8s-namespace-administrators-$cluster$-$nameSpace$-internal | |
| - k8s-namespace-administrators-$cluster$-$nameSpace$-external | |
| kind: ConfigMap | |
| url: /api/v1/namespaces/openunison/configmaps | |
| srcType: yaml | |
| writeToRequest: "$useGit$" | |
| requestAttribute: git-secret-cluster-k8s-$nameSpace$ | |
| path: /yaml/ns/$nameSpace$/configmaps/k8s-audit-policy.yaml | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.WaitForStatus | |
| params: | |
| holdingTarget: k8s | |
| namespace: openunison | |
| target: $cluster$ | |
| uri: /apis/apps/v1/namespaces/$nameSpace$/statefulsets/vcluster | |
| label: wait-for-vcluster | |
| conditions: | |
| - .status.readyReplicas=1 | |
| - .status.replicas=1 | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.CreateK8sObject | |
| params: | |
| targetName: k8s | |
| template: |- | |
| --- | |
| kind: Job | |
| apiVersion: batch/v1 | |
| metadata: | |
| name: helm-install-vcluster-$nameSpace$ | |
| namespace: openunison | |
| spec: | |
| parallelism: 1 | |
| completions: 1 | |
| backoffLimit: 3 | |
| selector: | |
| matchLabels: | |
| job-name: helm-install-vcluster-$nameSpace$ | |
| template: | |
| metadata: | |
| name: helm-install-vcluster-$nameSpace$ | |
| namespace: openunison | |
| labels: | |
| job-name: helm-install-vcluster-$nameSpace$ | |
| spec: | |
| containers: | |
| - args: | |
| - /usr/local/openunison/run-helm.sh | |
| image: docker.io/mlbiam/vcluster-onboard | |
| imagePullPolicy: Always | |
| name: helm-install | |
| resources: {} | |
| volumeMounts: | |
| - mountPath: /etc/openunison | |
| name: vcluster-helm-values | |
| env: | |
| - name: TREMOLO_HELM_REPO | |
| value: "https://nexus.tremolo.io/repository/helm/" | |
| - name: HELM_DEPLOYMENT | |
| value: helm-install-vcluster-$nameSpace$ | |
| - name: HELM_CHART | |
| value: vcluster-onboard | |
| - name: TARGET_NAMESPACE | |
| value: openunison | |
| - name: PATH_TO_VALUES | |
| value: /etc/openunison/values.yaml | |
| dnsPolicy: ClusterFirst | |
| serviceAccount: openunison-orchestra | |
| serviceAccountName: openunison-orchestra | |
| restartPolicy: OnFailure | |
| volumes: | |
| - name: vcluster-helm-values | |
| configMap: | |
| name: helm-values-$WORKFLOW_ID$-$nameSpace$-yaml | |
| kind: Job | |
| url: /apis/batch/v1/namespaces/openunison/jobs | |
| srcType: yaml | |
| writeToRequest: "$useGit$" | |
| requestAttribute: git-secret-cluster-k8s-$nameSpace$ | |
| path: /yaml/ns/$nameSpace$/configmaps/k8s-audit-policy.yaml | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment