James Andariese
2a9b3551f8
* adds a server cert from the mtls CA for mtls clients * adds gost as a tls offload for non-mtls clients to work around https://github.com/eclipse/mosquitto/issues/1839 * adds wildcard-tls through external secrets and removes template operator version * removes non-working websockets listener * fixes tests to work with mtls and non-mtls
75 lines
1.4 KiB
YAML
75 lines
1.4 KiB
YAML
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
namespace: wildcard-tls
|
|
name: wildcard-tls-reader
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- authorization.k8s.io
|
|
resources:
|
|
- selfsubjectrulesreviews
|
|
verbs:
|
|
- create
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: wildcard-tls-sa
|
|
namespace: mosquitto
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: wildcard-tls-reader-from-mosquitto
|
|
namespace: wildcard-tls
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: wildcard-tls-reader
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: wildcard-tls-sa
|
|
namespace: mosquitto
|
|
---
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: SecretStore
|
|
metadata:
|
|
name: wildcard-tls
|
|
namespace: mosquitto
|
|
spec:
|
|
provider:
|
|
kubernetes:
|
|
# with this, the store is able to pull only from `default` namespace
|
|
remoteNamespace: wildcard-tls
|
|
server:
|
|
caProvider:
|
|
type: ConfigMap
|
|
name: kube-root-ca.crt
|
|
key: ca.crt
|
|
auth:
|
|
serviceAccount:
|
|
name: "wildcard-tls-sa"
|
|
---
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: wildcard-tls
|
|
namespace: mosquitto
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: SecretStore
|
|
name: wildcard-tls
|
|
target:
|
|
name: wildcard-tls
|
|
dataFrom:
|
|
- extract:
|
|
key: wildcard-tls
|