diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml new file mode 100644 index 00000000..65226a0f --- /dev/null +++ b/manifests/integrations/eventhub-credentials-sync/_base/kubectl-patch.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: credentials-sync-eventhub + namespace: flux-system +spec: + template: + spec: + initContainers: + - image: bitnami/kubectl + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + name: copy-kubectl + # it's okay to do this because kubectl is a statically linked binary + command: + - sh + - -ceu + - cp $(which kubectl) /kbin/ + resources: {} + volumeMounts: + - name: kbin + mountPath: /kbin + containers: + - name: sync + volumeMounts: + - name: kbin + mountPath: /kbin + volumes: + - name: kbin + emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml index dfd56766..72503148 100644 --- a/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml new file mode 100644 index 00000000..8d2164b1 --- /dev/null +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kubectl-patch.yaml @@ -0,0 +1,30 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: credentials-sync-eventhub + namespace: flux-system +spec: + jobTemplate: + spec: + template: + spec: + initContainers: + - image: bitnami/kubectl + name: copy-kubectl + # it's okay to do this because kubectl is a statically linked binary + command: + - sh + - -ceu + - cp $(which kubectl) /kbin/ + resources: {} + volumeMounts: + - name: kbin + mountPath: /kbin + containers: + - name: sync + volumeMounts: + - name: kbin + mountPath: /kbin + volumes: + - name: kbin + emptyDir: {} diff --git a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml index dfd56766..72503148 100644 --- a/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml +++ b/manifests/integrations/eventhub-credentials-sync/_cronjobs/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: diff --git a/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml new file mode 100644 index 00000000..b054d7ce --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_base/kubectl-patch.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: credentials-sync + namespace: flux-system +spec: + template: + spec: + initContainers: + - image: bitnami/kubectl + name: copy-kubectl + # it's okay to do this because kubectl is a statically linked binary + command: + - sh + - -ceu + - cp $(which kubectl) /kbin/ + resources: {} + volumeMounts: + - name: kbin + mountPath: /kbin + containers: + - name: sync + volumeMounts: + - name: kbin + mountPath: /kbin + volumes: + - name: kbin + emptyDir: {} diff --git a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml index c26a2c0a..2218f2b8 100644 --- a/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml new file mode 100644 index 00000000..b4d83e22 --- /dev/null +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kubectl-patch.yaml @@ -0,0 +1,30 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: credentials-sync + namespace: flux-system +spec: + jobTemplate: + spec: + template: + spec: + initContainers: + - image: bitnami/kubectl + name: copy-kubectl + # it's okay to do this because kubectl is a statically linked binary + command: + - sh + - -ceu + - cp $(which kubectl) /kbin/ + resources: {} + volumeMounts: + - name: kbin + mountPath: /kbin + containers: + - name: sync + volumeMounts: + - name: kbin + mountPath: /kbin + volumes: + - name: kbin + emptyDir: {} diff --git a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml index c26a2c0a..2218f2b8 100644 --- a/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml +++ b/manifests/integrations/registry-credentials-sync/_cronjobs/_base/kustomization.yaml @@ -7,6 +7,9 @@ commonLabels: resources: - sync.yaml +patchesStrategicMerge: + - kubectl-patch.yaml + vars: - name: KUBE_SECRET objref: