Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Allow custom signer signingCA to specify namespace in addOnTemplate #350

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -372,15 +372,19 @@ spec:
signingCA:
description: |-
SigningCA represents the reference of the secret on the hub cluster to sign the CSR
the secret must be in the namespace where the addon-manager is located, and the secret
type must be "kubernetes.io/tls"
the secret type must be "kubernetes.io/tls"
Note: The addon manager will not have permission to access the secret by default, so
the user must grant the permission to the addon manager(by creating rolebinding for
the addon-manager serviceaccount "addon-manager-controller-sa").
the user must grant the permission to the addon manager(by creating rolebinding/clusterrolebinding
for the addon-manager serviceaccount "addon-manager-controller-sa").
properties:
name:
description: Name of the signing CA secret
type: string
namespace:
description: Namespace of the signing CA secret, the
namespace of the addon-manager will be used if it
is not set.
type: string
required:
- name
type: object
Expand Down
10 changes: 6 additions & 4 deletions addon/v1alpha1/types_addontemplate.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,11 +170,10 @@ type CustomSignerRegistrationConfig struct {
Subject *Subject `json:"subject,omitempty"`

// SigningCA represents the reference of the secret on the hub cluster to sign the CSR
// the secret must be in the namespace where the addon-manager is located, and the secret
// type must be "kubernetes.io/tls"
// the secret type must be "kubernetes.io/tls"
// Note: The addon manager will not have permission to access the secret by default, so
// the user must grant the permission to the addon manager(by creating rolebinding for
// the addon-manager serviceaccount "addon-manager-controller-sa").
// the user must grant the permission to the addon manager(by creating rolebinding/clusterrolebinding
// for the addon-manager serviceaccount "addon-manager-controller-sa").
// +kubebuilder:validation:Required
SigningCA SigningCARef `json:"signingCA"`
}
Expand All @@ -185,6 +184,9 @@ type SigningCARef struct {
// Name of the signing CA secret
// +kubebuilder:validation:Required
Name string `json:"name"`
// Namespace of the signing CA secret, the namespace of the addon-manager will be used if it is not set.
// +optional
Namespace string `json:"namespace,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
Expand Down
7 changes: 4 additions & 3 deletions addon/v1alpha1/zz_generated.swagger_doc_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading