summaryrefslogtreecommitdiffstats
path: root/files
diff options
context:
space:
mode:
Diffstat (limited to 'files')
-rw-r--r--files/origin-components/apiserver-config.yaml4
-rw-r--r--files/origin-components/apiserver-template.yaml122
-rw-r--r--files/origin-components/rbac-template.yaml92
-rw-r--r--files/origin-components/template-service-broker-registration.yaml25
4 files changed, 0 insertions, 243 deletions
diff --git a/files/origin-components/apiserver-config.yaml b/files/origin-components/apiserver-config.yaml
deleted file mode 100644
index e4048d1da..000000000
--- a/files/origin-components/apiserver-config.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-kind: TemplateServiceBrokerConfig
-apiVersion: config.templateservicebroker.openshift.io/v1
-templateNamespaces:
-- openshift
diff --git a/files/origin-components/apiserver-template.yaml b/files/origin-components/apiserver-template.yaml
deleted file mode 100644
index 1b42597af..000000000
--- a/files/origin-components/apiserver-template.yaml
+++ /dev/null
@@ -1,122 +0,0 @@
-apiVersion: template.openshift.io/v1
-kind: Template
-metadata:
- name: template-service-broker-apiserver
-parameters:
-- name: IMAGE
- value: openshift/origin:latest
-- name: NAMESPACE
- value: openshift-template-service-broker
-- name: LOGLEVEL
- value: "0"
-- name: API_SERVER_CONFIG
- value: |
- kind: TemplateServiceBrokerConfig
- apiVersion: config.templateservicebroker.openshift.io/v1
- templateNamespaces:
- - openshift
-objects:
-
-# to create the tsb server
-- apiVersion: extensions/v1beta1
- kind: DaemonSet
- metadata:
- namespace: ${NAMESPACE}
- name: apiserver
- labels:
- apiserver: "true"
- spec:
- template:
- metadata:
- name: apiserver
- labels:
- apiserver: "true"
- spec:
- serviceAccountName: apiserver
- containers:
- - name: c
- image: ${IMAGE}
- imagePullPolicy: IfNotPresent
- command:
- - "/usr/bin/openshift"
- - "start"
- - "template-service-broker"
- - "--secure-port=8443"
- - "--audit-log-path=-"
- - "--tls-cert-file=/var/serving-cert/tls.crt"
- - "--tls-private-key-file=/var/serving-cert/tls.key"
- - "--loglevel=${LOGLEVEL}"
- - "--config=/var/apiserver-config/apiserver-config.yaml"
- ports:
- - containerPort: 8443
- volumeMounts:
- - mountPath: /var/serving-cert
- name: serving-cert
- - mountPath: /var/apiserver-config
- name: apiserver-config
- readinessProbe:
- httpGet:
- path: /healthz
- port: 8443
- scheme: HTTPS
- volumes:
- - name: serving-cert
- secret:
- defaultMode: 420
- secretName: apiserver-serving-cert
- - name: apiserver-config
- configMap:
- defaultMode: 420
- name: apiserver-config
-
-# to create the config for the TSB
-- apiVersion: v1
- kind: ConfigMap
- metadata:
- namespace: ${NAMESPACE}
- name: apiserver-config
- data:
- apiserver-config.yaml: ${API_SERVER_CONFIG}
-
-# to be able to assign powers to the process
-- apiVersion: v1
- kind: ServiceAccount
- metadata:
- namespace: ${NAMESPACE}
- name: apiserver
-
-# to be able to expose TSB inside the cluster
-- apiVersion: v1
- kind: Service
- metadata:
- namespace: ${NAMESPACE}
- name: apiserver
- annotations:
- service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert
- spec:
- selector:
- apiserver: "true"
- ports:
- - port: 443
- targetPort: 8443
-
-# This service account will be granted permission to call the TSB.
-# The token for this SA will be provided to the service catalog for
-# use when calling the TSB.
-- apiVersion: v1
- kind: ServiceAccount
- metadata:
- namespace: ${NAMESPACE}
- name: templateservicebroker-client
-
-# This secret will be populated with a copy of the templateservicebroker-client SA's
-# auth token. Since this secret has a static name, it can be referenced more
-# easily than the auto-generated secret for the service account.
-- apiVersion: v1
- kind: Secret
- metadata:
- namespace: ${NAMESPACE}
- name: templateservicebroker-client
- annotations:
- kubernetes.io/service-account.name: templateservicebroker-client
- type: kubernetes.io/service-account-token
diff --git a/files/origin-components/rbac-template.yaml b/files/origin-components/rbac-template.yaml
deleted file mode 100644
index 0937a9065..000000000
--- a/files/origin-components/rbac-template.yaml
+++ /dev/null
@@ -1,92 +0,0 @@
-apiVersion: template.openshift.io/v1
-kind: Template
-metadata:
- name: template-service-broker-rbac
-parameters:
-- name: NAMESPACE
- value: openshift-template-service-broker
-- name: KUBE_SYSTEM
- value: kube-system
-objects:
-
-# Grant the service account permission to call the TSB
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: ClusterRoleBinding
- metadata:
- name: templateservicebroker-client
- roleRef:
- kind: ClusterRole
- name: system:openshift:templateservicebroker-client
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: templateservicebroker-client
-
-# to delegate authentication and authorization
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: ClusterRoleBinding
- metadata:
- name: auth-delegator-${NAMESPACE}
- roleRef:
- kind: ClusterRole
- name: system:auth-delegator
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: apiserver
-
-# to have the template service broker powers
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: ClusterRoleBinding
- metadata:
- name: tsb-${NAMESPACE}
- roleRef:
- kind: ClusterRole
- name: system:openshift:controller:template-service-broker
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: apiserver
-
-# to read the config for terminating authentication
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: RoleBinding
- metadata:
- namespace: ${KUBE_SYSTEM}
- name: extension-apiserver-authentication-reader-${NAMESPACE}
- roleRef:
- kind: Role
- name: extension-apiserver-authentication-reader
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: apiserver
-
-# allow the kube service catalog's SA to read the static secret defined
-# above, which will contain the token for the SA that can call the TSB.
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: Role
- metadata:
- name: templateservicebroker-auth-reader
- namespace: ${NAMESPACE}
- rules:
- - apiGroups:
- - ""
- resourceNames:
- - templateservicebroker-client
- resources:
- - secrets
- verbs:
- - get
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: RoleBinding
- metadata:
- namespace: ${NAMESPACE}
- name: templateservicebroker-auth-reader
- roleRef:
- kind: Role
- name: templateservicebroker-auth-reader
- subjects:
- - kind: ServiceAccount
- namespace: kube-service-catalog
- name: service-catalog-controller
diff --git a/files/origin-components/template-service-broker-registration.yaml b/files/origin-components/template-service-broker-registration.yaml
deleted file mode 100644
index 95fb72924..000000000
--- a/files/origin-components/template-service-broker-registration.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-apiVersion: template.openshift.io/v1
-kind: Template
-metadata:
- name: template-service-broker-registration
-parameters:
-- name: TSB_NAMESPACE
- value: openshift-template-service-broker
-- name: CA_BUNDLE
- required: true
-objects:
-# register the tsb with the service catalog
-- apiVersion: servicecatalog.k8s.io/v1beta1
- kind: ClusterServiceBroker
- metadata:
- name: template-service-broker
- spec:
- url: https://apiserver.${TSB_NAMESPACE}.svc:443/brokers/template.openshift.io
- insecureSkipTLSVerify: false
- caBundle: ${CA_BUNDLE}
- authInfo:
- bearer:
- secretRef:
- kind: Secret
- name: templateservicebroker-client
- namespace: ${TSB_NAMESPACE}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-13 18:13:27 +0000