skipper: update hostname-credentials-controller

The logic previously implemented by secret-combiner was moved into
hostname-credentials-controller.

Signed-off-by: Alexander Yastrebov <[email protected]>

Author: AlexanderYastrebov

cluster/manifests/deletions.yaml

@@ -4,6 +4,20 @@ pre_apply:
   namespace: kube-system
   kind: Deployment
 
+# TODO: remove after rollout
+- kind: CronJob
+  name: secret-combiner
+  namespace: kube-system
+- kind: RoleBinding
+  name: secret-combiner
+  namespace: kube-system
+- kind: Role
+  name: secret-combiner
+  namespace: kube-system
+- kind: ServiceAccount
+  name: secret-combiner
+  namespace: kube-system
+
 # everything defined under here will be deleted after applying the manifests
 post_apply:
 - name: cronjob-monitor
@@ -75,7 +89,6 @@ post_apply:
 {{ end }}
 
 {{- if ne .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
-# hostname-credentials-controller
 - kind: CronJob
   name: hostname-credentials-controller
   namespace: kube-system
@@ -91,20 +104,6 @@ post_apply:
   labels:
     application: skipper-ingress
     component: hostname-credentials
-
-# secret-combiner
-- kind: CronJob
-  name: secret-combiner
-  namespace: kube-system
-- kind: RoleBinding
-  name: secret-combiner
-  namespace: kube-system
-- kind: Role
-  name: secret-combiner
-  namespace: kube-system
-- kind: ServiceAccount
-  name: secret-combiner
-  namespace: kube-system
 - kind: Secret
   name: hostname-credentials
   namespace: kube-system

cluster/manifests/skipper/hostname-credentials-controller.yaml

@@ -1,5 +1,5 @@
 # {{ if eq .Cluster.ConfigItems.skipper_oauth2_ui_login "true" }}
-# {{ $version := "main-11" }}
+# {{ $version := "main-12" }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -56,6 +56,42 @@ subjects:
     name: hostname-credentials-controller
     namespace: kube-system
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: hostname-credentials-controller
+  namespace: kube-system
+  labels:
+    application: skipper-ingress
+    component: hostname-credentials
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: hostname-credentials-controller
+  namespace: kube-system
+  labels:
+    application: skipper-ingress
+    component: hostname-credentials
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hostname-credentials-controller
+subjects:
+  - kind: ServiceAccount
+    name: hostname-credentials-controller
+    namespace: kube-system
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -91,10 +127,12 @@ spec:
               args:
                 - -ingress-selector=application
                 - -credentials-namespace=kube-system
-                - -credentials-name-template={hostname}-grant-credentials
+                - -credentials-name-template={host}-grant-credentials
                 - -credentials-selector=application=skipper-ingress,component=hostname-credentials
                 - -credentials-labels=application=skipper-ingress,component=hostname-credentials
                 - -credentials-redirect-uri-path={{ .Cluster.ConfigItems.skipper_oauth2_redirect_uri_path }}
+                - -combined-secret-name=hostname-credentials
+                - -combined-secret-labels=application=skipper-ingress,component=hostname-credentials-combined
               resources:
                 limits:
                   cpu: 10m