This repository has been archived by the owner on Mar 22, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
/
configmap.yaml
63 lines (56 loc) · 1.83 KB
/
configmap.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
{{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
namespace: {{ .Release.Namespace }}
data:
oidc-discovery-provider.conf: |
log_level = "{{ .Values.config.logLevel }}"
domains = [
"{{ include "spiffe-oidc-discovery-provider.fullname" . }}",
"{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ .Release.Namespace }}",
"{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local",
{{- if gt (len .Values.config.domains) 0 }}
"{{- join "\",\n \"" .Values.config.domains }}"
{{- end }}
]
{{- if .Values.insecureScheme.enabled }}
allow_insecure_scheme = {{ .Values.insecureScheme.enabled }}
listen_socket_path = {{ $oidcSocket | quote }}
{{- else }}
acme {
directory_url = "{{ .Values.config.acme.directoryUrl }}"
cache_dir = "{{ .Values.config.acme.cacheDir }}"
tos_accepted = {{ .Values.config.acme.tosAccepted }}
email = "{{ .Values.config.acme.emailAddress }}"
}
{{- end }}
workload_api {
socket_path = "/spiffe-workload-api/{{ include "spire.agent-socket-path" . | splitList "/" | last }}"
trust_domain = "{{ .Values.trustDomain }}"
}
health_checks {
bind_port = "8008"
ready_path = "/ready"
live_path = "/live"
}
{{- if .Values.insecureScheme.enabled }}
default.conf.template: |
upstream oidc {
server unix:{{ $oidcSocket }};
}
server {
listen 80;
listen [::]:80;
location / {
proxy_pass http://oidc;
proxy_set_header Host $host;
}
location /stub_status {
allow 127.0.0.1/32;
deny all;
stub_status on;
}
}
{{- end }}