-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathapp.yaml
122 lines (122 loc) · 3.88 KB
/
app.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
apiVersion: v1
kind: Secret
metadata:
name: grype-offline-values
annotations:
kapp.k14s.io/change-group: grype-offline/app
kapp.k14s.io/change-rule: "upsert after upserting grype-offline/rbac"
stringData:
values.yaml: |
db:
#! Set to "true" to override the database "built" property,
#! setting the value to current timestamp. This allows you
#! to report the Grype database as "up-to-date".
#! Use with caution since Grype will not be able to report
#! the use of an outdated database.
disableExpiration: true
---
apiVersion: kappctrl.k14s.io/v1alpha1
kind: App
metadata:
name: grype-offline
annotations:
kapp.k14s.io/change-group: grype-offline/app
kapp.k14s.io/change-rule: "upsert after upserting grype-offline/rbac"
spec:
serviceAccountName: grype-offline-sa
syncPeriod: 30m
fetch:
- imgpkgBundle:
#! Use this command to copy and upload the bundle to your registry:
#! imgpkg copy --bundle ghcr.io/alexandreroman/grype-offline-db-bundle --to-repo myreg.corp.com/grype-offline/grype-offline-db-bundle
#! Then update this attribute and refer to your registry:
image: ghcr.io/alexandreroman/grype-offline-db-bundle:latest
#! Create a Kubernetes secret holding your registry credentials:
#! kubectl create secret docker-registry grype-offline-regcreds --docker-server=myreg.corp.com --docker-username=johndoe --docker-password=changeme
secretRef:
name: grype-offline-regcreds
template:
- ytt:
inline:
paths:
configmap-overlay.yaml: |
#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@overlay/match by=overlay.subset({"kind": "ConfigMap"}),expects=1
---
data:
DISABLE_DB_EXPIRATION: #@ str(data.values.db.disableExpiration)
imagepullsecrets-overlay.yaml: |
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind": "Service", "apiVersion": "serving.knative.dev/v1"}),expects=1
---
spec:
template:
spec:
#@overlay/match missing_ok=True
imagePullSecrets:
- name: grype-offline-regcreds
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
name: grype-offline-regcreds
namespace: default
spec:
toNamespaces:
- grype-offline
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretImport
metadata:
name: grype-offline-regcreds
namespace: grype-offline
spec:
fromNamespace: default
paths:
- "."
valuesFrom:
- secretRef:
name: grype-offline-values
- kbld:
paths:
- .imgpkg/images.yml
- "-"
deploy:
- kapp: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: grype-offline-sa
annotations:
kapp.k14s.io/change-group: grype-offline/rbac
kapp.k14s.io/change-rule: "delete after deleting grype-offline/app"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: grype-offline-cluster-role
annotations:
kapp.k14s.io/change-group: grype-offline/rbac
kapp.k14s.io/change-rule: "delete after deleting grype-offline/app"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: grype-offline-cluster-role-binding
annotations:
kapp.k14s.io/change-group: grype-offline/rbac
kapp.k14s.io/change-rule: "delete after deleting grype-offline/app"
subjects:
- kind: ServiceAccount
name: grype-offline-sa
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: grype-offline-cluster-role