From 2b8b8390bcf22042ac9c164bab17a44c1291d4bc Mon Sep 17 00:00:00 2001 From: Remy Moll Date: Sat, 21 Sep 2024 12:58:20 +0200 Subject: [PATCH] refined deployment config --- README.md | 3 +- base/kustomization.yaml | 2 +- overlays/prod/kustomization.yaml | 3 +- overlays/stg/kustomization.yaml | 4 +-- rbac.yaml | 59 ++++++++++++++++++++++++++++++++ 5 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 rbac.yaml diff --git a/README.md b/README.md index bc378a2..b1eed6f 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,8 @@ kubectl -n rollout restart deployment/anyway-backend ### CI/CD and credentials For the deployment to work, the CI runner needs to authenticate against the kubernetes cluster. This is done by creating a service account in the cluster and providing the CI runner with the necessary credentials through a kubeconfig file. This file is stored as a repository secret `KUBE_CONFIG` and is used by the `kubectl` command in the CI pipeline. -The RBAC configuration for the service included for your reference in the file `rbac.yaml`. +The RBAC configuration for the service included for your reference in the file `rbac.yaml`. To use it, extract the token from the secret `deployment-token-secret`. +Then fill in the token and service account name into the kubeconfig. ### Deployment environments diff --git a/base/kustomization.yaml b/base/kustomization.yaml index f972df4..1cf837a 100644 --- a/base/kustomization.yaml +++ b/base/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml + # - namespace.yaml - pvc.yaml - deployment.yaml - service.yaml diff --git a/overlays/prod/kustomization.yaml b/overlays/prod/kustomization.yaml index 956a70e..76506c6 100644 --- a/overlays/prod/kustomization.yaml +++ b/overlays/prod/kustomization.yaml @@ -4,7 +4,8 @@ kind: Kustomization resources: - ../../base -namespace: anyway-prod +namespace: anyway-backend +nameSuffix: -prod images: - name: backend-image diff --git a/overlays/stg/kustomization.yaml b/overlays/stg/kustomization.yaml index 0fd698e..9d2dbd2 100644 --- a/overlays/stg/kustomization.yaml +++ b/overlays/stg/kustomization.yaml @@ -4,8 +4,8 @@ kind: Kustomization resources: - ../../base -namespace: anyway-stg - +namespace: anyway-backend +nameSuffix: -stg images: - name: backend-image newName: git.kluster.moll.re/anydev/anyway-backend diff --git a/rbac.yaml b/rbac.yaml new file mode 100644 index 0000000..4f5a832 --- /dev/null +++ b/rbac.yaml @@ -0,0 +1,59 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: anyway-backend + name: deployment-role +rules: +- apiGroups: [""] # "" indicates the core API group + resources: + - pods + - services + - deployments + - ingresses + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: deployment-rolebinding + namespace: anyway-backend +subjects: +- kind: ServiceAccount + name: deployment-sa + namespace: anyway-backend +roleRef: + kind: Role + name: deployment-role + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: deployment-sa + namespace: anyway-backend +automountServiceAccountToken: false + +--- + +apiVersion: v1 +kind: Secret +metadata: + namespace: anyway-backend + name: deployment-token-secret + annotations: + kubernetes.io/service-account.name: deployment-sa +type: kubernetes.io/service-account-token + +