Add "--cluster-signing-*-file" flags pointing at a host volume mount.

This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2026-01-05 21:15:26 +00:00 · 2020-07-24 15:41:51 -05:00
parent 9f0d2606b1
commit 066bc84e2a
2 changed files with 49 additions and 2 deletions
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -47,6 +47,8 @@ spec:
    metadata:
      labels:
        app: #@ data.values.app_name
+    annotations:
+      scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      serviceAccountName: #@ data.values.app_name + "-service-account"
      containers:
@@ -62,11 +64,15 @@ spec:
          args:
            - --config=/etc/config/placeholder-name.yaml
            - --downward-api-path=/etc/podinfo
+            - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
+            - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
            - name: podinfo
              mountPath: /etc/podinfo
+            - name: k8s-certs
+              mountPath: /etc/kubernetes/pki
      volumes:
        - name: config-volume
          configMap:
@@ -80,3 +86,15 @@ spec:
              - path: "namespace"
                fieldRef:
                  fieldPath: metadata.namespace
+        - name: k8s-certs
+          hostPath:
+            path: /etc/kubernetes/pki
+            type: DirectoryOrCreate
+      priorityClassName: system-cluster-critical
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master