apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.12.0 name: sealedsecrets.bitnami.com spec: group: bitnami.com names: kind: SealedSecret listKind: SealedSecretList plural: sealedsecrets singular: sealedsecret scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status.conditions[0].message name: Status type: string - jsonPath: .status.conditions[0].status name: Synced type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: SealedSecret is the K8s representation of a "sealed Secret" - a regular k8s Secret that has been sealed (encrypted) using the controller's key. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: SealedSecretSpec is the specification of a SealedSecret properties: data: description: Data is deprecated and will be removed eventually. Use per-value EncryptedData instead. format: byte type: string encryptedData: additionalProperties: type: string type: object x-kubernetes-preserve-unknown-fields: true template: description: Template defines the structure of the Secret that will be created from this sealed secret. properties: data: additionalProperties: type: string description: Keys that should be templated using decrypted data nullable: true type: object immutable: description: Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil. type: boolean metadata: description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' nullable: true properties: annotations: additionalProperties: type: string type: object finalizers: items: type: string type: array labels: additionalProperties: type: string type: object name: type: string namespace: type: string type: object x-kubernetes-preserve-unknown-fields: true type: description: Used to facilitate programmatic handling of secret data. type: string type: object required: - encryptedData type: object status: description: SealedSecretStatus is the most recently observed status of the SealedSecret. properties: conditions: description: Represents the latest available observations of a sealed secret's current state. items: description: SealedSecretCondition describes the state of a sealed secret at a certain point. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. format: date-time type: string lastUpdateTime: description: The last time this condition was updated. format: date-time type: string message: description: A human readable message indicating details about the transition. type: string reason: description: The reason for the condition's last transition. type: string status: description: 'Status of the condition for a sealed secret. Valid values for "Synced": "True", "False", or "Unknown".' type: string type: description: 'Type of condition for a sealed secret. Valid value: "Synced"' type: string required: - status - type type: object type: array observedGeneration: description: ObservedGeneration reflects the generation most recently observed by the sealed-secrets controller. format: int64 type: integer type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets-key-admin namespace: kube-system rules: - apiGroups: - "" resourceNames: - sealed-secrets-key resources: - secrets verbs: - get - apiGroups: - "" resources: - secrets verbs: - create - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets-service-proxier namespace: kube-system rules: - apiGroups: - "" resourceNames: - sealed-secrets resources: - services verbs: - get - apiGroups: - "" resourceNames: - 'http:sealed-secrets:' - http:sealed-secrets:http - sealed-secrets resources: - services/proxy verbs: - create - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: secrets-unsealer rules: - apiGroups: - bitnami.com resources: - sealedsecrets verbs: - get - list - watch - apiGroups: - bitnami.com resources: - sealedsecrets/status verbs: - update - apiGroups: - "" resources: - secrets verbs: - get - list - create - update - delete - watch - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets-key-admin namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: sealed-secrets-key-admin subjects: - apiGroup: "" kind: ServiceAccount name: sealed-secrets namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets-service-proxier namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: sealed-secrets-service-proxier subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: secrets-unsealer subjects: - apiGroup: "" kind: ServiceAccount name: sealed-secrets namespace: kube-system --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets namespace: kube-system spec: ports: - name: http nodePort: null port: 8080 targetPort: http selector: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/name: sealed-secrets type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: metrics app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets-metrics namespace: kube-system spec: ports: - name: metrics nodePort: null port: 8081 targetPort: metrics selector: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/name: sealed-secrets type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: sealed-secrets app.kubernetes.io/part-of: sealed-secrets app.kubernetes.io/version: 0.26.1 helm.sh/chart: sealed-secrets-2.15.2 name: sealed-secrets namespace: kube-system spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/name: sealed-secrets template: metadata: labels: app.kubernetes.io/instance: sealed-secrets app.kubernetes.io/name: sealed-secrets spec: containers: - args: - --update-status - --key-prefix - sealed-secrets-key command: - controller image: docker.io/bitnami/sealed-secrets-controller:0.26.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: http initialDelaySeconds: 0 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: controller ports: - containerPort: 8080 name: http - containerPort: 8081 name: metrics readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: http initialDelaySeconds: 0 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: limits: {} requests: {} securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 volumeMounts: - mountPath: /tmp name: tmp securityContext: fsGroup: 65534 serviceAccountName: sealed-secrets volumes: - emptyDir: {} name: tmp