diff --git a/apis/installer/v1alpha1/types.go b/apis/installer/v1alpha1/types.go
index 4f380df43..f18f12605 100644
--- a/apis/installer/v1alpha1/types.go
+++ b/apis/installer/v1alpha1/types.go
@@ -126,8 +126,9 @@ type EASMonitoring struct {
}
type SecuritySpec struct {
- Apparmor ApparmorSpec `json:"apparmor"`
- Seccomp SeccompSpec `json:"seccomp"`
+ CopyAuthenticationConfigMap bool `json:"copyAuthenticationConfigMap"`
+ Apparmor ApparmorSpec `json:"apparmor"`
+ Seccomp SeccompSpec `json:"seccomp"`
//+optional
PodSecurityPolicies []string `json:"podSecurityPolicies"`
CreatePSPs CreatePSPSpec `json:"createPSPs"`
diff --git a/charts/stash-community/README.md b/charts/stash-community/README.md
index cb5c35e03..60f8800a1 100644
--- a/charts/stash-community/README.md
+++ b/charts/stash-community/README.md
@@ -103,6 +103,7 @@ The following table lists the configurable parameters of the `stash-community` c
| monitoring.backup | Specify whether to monitor Stash backup and recovery | false |
| monitoring.operator | Specify whether to monitor Stash operator | false |
| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} |
+| security.copyAuthenticationConfigMap | | true |
| security.apparmor.enabled | `Optional:` Allows the default AppArmor profile, requires setting the default. | false |
| security.seccomp.enabled | `Optional:` Allows the default seccomp profile, requires setting the default. | false |
| security.podSecurityPolicies | PSP names passed to operator
Example:
`helm install appscode/stash \`
`--set podSecurityPolicies[0]=abc \`
`--set podSecurityPolicies[1]=xyz` | ["baseline"] |
diff --git a/charts/stash-community/values.openapiv3_schema.yaml b/charts/stash-community/values.openapiv3_schema.yaml
index e04b711ad..1932c4fe8 100644
--- a/charts/stash-community/values.openapiv3_schema.yaml
+++ b/charts/stash-community/values.openapiv3_schema.yaml
@@ -1727,6 +1727,8 @@ properties:
enabled:
type: boolean
type: object
+ copyAuthenticationConfigMap:
+ type: boolean
createPSPs:
properties:
baseline:
@@ -1748,6 +1750,7 @@ properties:
type: object
required:
- apparmor
+ - copyAuthenticationConfigMap
- createPSPs
- seccomp
type: object
diff --git a/charts/stash-community/values.yaml b/charts/stash-community/values.yaml
index 99c777795..3bb1abf74 100644
--- a/charts/stash-community/values.yaml
+++ b/charts/stash-community/values.yaml
@@ -184,6 +184,7 @@ monitoring:
# Only usable when monitoring agent is `prometheus.io/operator`.
labels: {}
security:
+ copyAuthenticationConfigMap: true
apparmor:
# `Optional:` Allows the default AppArmor profile, requires setting the default.
enabled: false
diff --git a/charts/stash-enterprise/Chart.yaml b/charts/stash-enterprise/Chart.yaml
index d27f4b165..cebe21150 100755
--- a/charts/stash-enterprise/Chart.yaml
+++ b/charts/stash-enterprise/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
description: Enterprise features for Stash by AppsCode
name: stash-enterprise
version: v0.30.0
-appVersion: v0.30.0
+appVersion: v0.30.1
home: https://stash.run
icon: https://cdn.appscode.com/images/products/stash/stash-enterprise-icon.png
sources:
diff --git a/charts/stash-enterprise/README.md b/charts/stash-enterprise/README.md
index cc0c2341a..4d7bd1444 100644
--- a/charts/stash-enterprise/README.md
+++ b/charts/stash-enterprise/README.md
@@ -103,6 +103,7 @@ The following table lists the configurable parameters of the `stash-enterprise`
| monitoring.backup | Specify whether to monitor Stash backup and recovery | false |
| monitoring.operator | Specify whether to monitor Stash operator | false |
| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} |
+| security.copyAuthenticationConfigMap | | true |
| security.apparmor.enabled | `Optional:` Allows the default AppArmor profile, requires setting the default. | false |
| security.seccomp.enabled | `Optional:` Allows the default seccomp profile, requires setting the default. | false |
| security.podSecurityPolicies | PSP names passed to operator
Example:
`helm install appscode/stash \`
`--set podSecurityPolicies[0]=abc \`
`--set podSecurityPolicies[1]=xyz` | ["baseline"] |
diff --git a/charts/stash-enterprise/templates/apiregistration.yaml b/charts/stash-enterprise/templates/apiregistration.yaml
index 72520d5c1..ff2922737 100644
--- a/charts/stash-enterprise/templates/apiregistration.yaml
+++ b/charts/stash-enterprise/templates/apiregistration.yaml
@@ -82,7 +82,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "stash-enterprise.fullname" . }}-apiserver-extension-server-authentication-reader
- namespace: kube-system
+ namespace: {{ ternary .Release.Namespace "kube-system" .Values.security.copyAuthenticationConfigMap }}
labels:
{{- include "stash-enterprise.labels" . | nindent 4 }}
roleRef:
@@ -94,6 +94,15 @@ subjects:
name: {{ include "stash-enterprise.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
+# copy kube-system/extension-apiserver-authentication into stash operator namespace
+{{- if .Values.security.copyAuthenticationConfigMap }}
+
+{{ $obj := lookup "v1" "ConfigMap" "kube-system" "extension-apiserver-authentication" }}
+{{ $obj = mergeOverwrite $obj (dict "metadata" (dict "namespace" .Release.Namespace )) }}
+{{ toYaml $obj }}
+
+{{- end }}
+---
# to delegate authentication and authorization
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
diff --git a/charts/stash-enterprise/templates/deployment.yaml b/charts/stash-enterprise/templates/deployment.yaml
index 97d5745f7..29ac034de 100644
--- a/charts/stash-enterprise/templates/deployment.yaml
+++ b/charts/stash-enterprise/templates/deployment.yaml
@@ -48,6 +48,7 @@ spec:
- --image-pull-secrets={{ include "image-pull-secrets" . }}
{{- end }}
- --secure-port=8443
+ - --authentication-configmap-namespace={{ ternary .Release.Namespace "kube-system" .Values.security.copyAuthenticationConfigMap }}
- --audit-log-path=-
- --tls-cert-file=/var/serving-cert/tls.crt
- --tls-private-key-file=/var/serving-cert/tls.key
diff --git a/charts/stash-enterprise/values.openapiv3_schema.yaml b/charts/stash-enterprise/values.openapiv3_schema.yaml
index ee4700a93..5248cc64d 100644
--- a/charts/stash-enterprise/values.openapiv3_schema.yaml
+++ b/charts/stash-enterprise/values.openapiv3_schema.yaml
@@ -1739,6 +1739,8 @@ properties:
enabled:
type: boolean
type: object
+ copyAuthenticationConfigMap:
+ type: boolean
createPSPs:
properties:
baseline:
@@ -1760,6 +1762,7 @@ properties:
type: object
required:
- apparmor
+ - copyAuthenticationConfigMap
- createPSPs
- seccomp
type: object
diff --git a/charts/stash-enterprise/values.yaml b/charts/stash-enterprise/values.yaml
index ad86d6a49..291e47ece 100644
--- a/charts/stash-enterprise/values.yaml
+++ b/charts/stash-enterprise/values.yaml
@@ -184,6 +184,7 @@ monitoring:
# Only usable when monitoring agent is `prometheus.io/operator`.
labels: {}
security:
+ copyAuthenticationConfigMap: true
apparmor:
# `Optional:` Allows the default AppArmor profile, requires setting the default.
enabled: false
diff --git a/charts/stash/values.openapiv3_schema.yaml b/charts/stash/values.openapiv3_schema.yaml
index 8b9449f6f..4a337c89a 100644
--- a/charts/stash/values.openapiv3_schema.yaml
+++ b/charts/stash/values.openapiv3_schema.yaml
@@ -2121,6 +2121,8 @@ properties:
enabled:
type: boolean
type: object
+ copyAuthenticationConfigMap:
+ type: boolean
createPSPs:
properties:
baseline:
@@ -2142,6 +2144,7 @@ properties:
type: object
required:
- apparmor
+ - copyAuthenticationConfigMap
- createPSPs
- seccomp
type: object
@@ -4015,6 +4018,8 @@ properties:
enabled:
type: boolean
type: object
+ copyAuthenticationConfigMap:
+ type: boolean
createPSPs:
properties:
baseline:
@@ -4036,6 +4041,7 @@ properties:
type: object
required:
- apparmor
+ - copyAuthenticationConfigMap
- createPSPs
- seccomp
type: object