From 65932a6a43d4c02fbd78d18fd76c270e5f31439c Mon Sep 17 00:00:00 2001 From: Krzysztof Romanowski Date: Thu, 4 Apr 2024 15:22:46 +0000 Subject: [PATCH] Make the kubeflow-m2m-oidc-configurator a CronJob Signed-off-by: Krzysztof Romanowski --- ...ronjob.kubeflow-m2m-oidc-configurator.yaml | 37 +++++++++++++++++++ ...-issuer-jwks-in-requestauthentication.yaml | 34 ----------------- .../kustomization.yaml | 6 +-- .../rbac.yaml | 10 ++--- 4 files changed, 45 insertions(+), 42 deletions(-) create mode 100644 common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml delete mode 100644 common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/job.configure-kubernetes-oidc-issuer-jwks-in-requestauthentication.yaml diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml new file mode 100644 index 0000000000..54849a799d --- /dev/null +++ b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml @@ -0,0 +1,37 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kubeflow-m2m-oidc-configurator + namespace: istio-system +spec: + schedule: '* * * * *' + jobTemplate: + spec: + ttlSecondsAfterFinished: 60 + template: + metadata: + labels: {} + spec: + restartPolicy: OnFailure + serviceAccountName: kubeflow-m2m-oidc-configurator + containers: + - image: curlimages/curl + name: kubeflow-m2m-oidc-configurator + command: + - /script.sh + envFrom: + - configMapRef: + name: kubeflow-m2m-oidc-configurator-envs + volumeMounts: + - mountPath: /script.sh + name: script + subPath: script.sh + resources: {} + volumes: + - name: script + configMap: + name: kubeflow-m2m-oidc-configurator-script + defaultMode: 0777 + items: + - key: script.sh + path: script.sh diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/job.configure-kubernetes-oidc-issuer-jwks-in-requestauthentication.yaml b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/job.configure-kubernetes-oidc-issuer-jwks-in-requestauthentication.yaml deleted file mode 100644 index 44ecb089ac..0000000000 --- a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/job.configure-kubernetes-oidc-issuer-jwks-in-requestauthentication.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: configure-kubernetes-oidc-issuer-jwks-in-requestauthentication - namespace: istio-system -spec: - ttlSecondsAfterFinished: 0 - template: - metadata: - labels: {} - spec: - restartPolicy: OnFailure - serviceAccountName: self-signed-kubernetes-oidc-issuer-configurator - containers: - - image: curlimages/curl - name: configure-kubernetes-oidc-issuer-jwks-in-requestauthentication - command: - - /script.sh - envFrom: - - configMapRef: - name: configure-self-signed-kubernetes-oidc-issuer-envs - volumeMounts: - - mountPath: /script.sh - name: script - subPath: script.sh - resources: {} - volumes: - - name: script - configMap: - name: configure-self-signed-kubernetes-oidc-issuer-script - defaultMode: 0777 - items: - - key: script.sh - path: script.sh diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml index e257bf9ea7..c60dc7fac4 100644 --- a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml +++ b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml @@ -2,16 +2,16 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: -- job.configure-kubernetes-oidc-issuer-jwks-in-requestauthentication.yaml +- cronjob.kubeflow-m2m-oidc-configurator.yaml - rbac.yaml configMapGenerator: -- name: configure-self-signed-kubernetes-oidc-issuer-script +- name: kubeflow-m2m-oidc-configurator-script namespace: istio-system files: - script.sh=script.sh -- name: configure-self-signed-kubernetes-oidc-issuer-envs +- name: kubeflow-m2m-oidc-configurator-envs namespace: istio-system literals: - ISTIO_ROOT_NAMESPACE=istio-system diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml index 08232c6b86..305a8fb5c0 100644 --- a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml +++ b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml @@ -1,14 +1,14 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: self-signed-kubernetes-oidc-issuer-configurator + name: kubeflow-m2m-oidc-configurator namespace: istio-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: self-signed-kubernetes-oidc-issuer-configurator + name: kubeflow-m2m-oidc-configurator namespace: istio-system rules: - apiGroups: @@ -23,13 +23,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: self-signed-kubernetes-oidc-issuer-configurator + name: kubeflow-m2m-oidc-configurator namespace: istio-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: self-signed-kubernetes-oidc-issuer-configurator + name: kubeflow-m2m-oidc-configurator subjects: - kind: ServiceAccount - name: self-signed-kubernetes-oidc-issuer-configurator + name: kubeflow-m2m-oidc-configurator namespace: istio-system