[PR #267] [MERGED] feat: k8s部署支持ServiceAccount权限 #894

New issue

Closed

opened 2026-03-03 01:06:43 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 01:06:43 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/certimate-go/certimate/pull/267
Author: @PittyXu
Created: 10/26/2024
Status: ✅ Merged
Merged: 10/27/2024
Merged by: @usual2970

Base: main ← Head: feat/k8s

📝 Commits (1)

548cbbf feat: k8s部署支持ServiceAccount权限

📊 Changes

4 files changed (+22 additions, -13 deletions)

View changed files

📝 internal/deployer/k8s_secret.go (+17 -9)
📝 ui/src/components/certimate/AccessKubernetesForm.tsx (+2 -1)
📝 ui/src/i18n/locales/en/nls.access.json (+2 -2)
📝 ui/src/i18n/locales/zh/nls.access.json (+1 -1)

📄 Description

使部署在k8s中的 certimate 没有 kubeconfig 也可以部署证书。
k8s部署的 certimate Pod 需要有写 Secret 权限的 ServiceAccount, 如下

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: certimate
rules:
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - get
      - create
      - update
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: certimate
  namespace: default
  labels:
    app: certimate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: certimate
subjects:
  - kind: ServiceAccount
    name: certimate
    namespace: default
roleRef:
  kind: ClusterRole
  name: certimate
  apiGroup: rbac.authorization.k8s.io
---
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    app: certimate
  name: certimate
spec:
  selector:
    matchLabels:
      app: certimate
  template:
    metadata:
      labels:
        app: certimate
    spec:
      serviceAccount: certimate
      serviceAccountName: certimate
      containers:
        - name: certimate
          image: registry.cn-shanghai.aliyuncs.com/usual2970/certimate:latest
          ports:
            - containerPort: 8090
              protocol: TCP
          volumeMounts:
            - mountPath: /app/pb_data
              name: volume-data
      volumes:
        - name: volume-data
          persistentVolumeClaim:
            claimName: certimate-pvc

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/certimate-go/certimate/pull/267 **Author:** [@PittyXu](https://github.com/PittyXu) **Created:** 10/26/2024 **Status:** ✅ Merged **Merged:** 10/27/2024 **Merged by:** [@usual2970](https://github.com/usual2970) **Base:** `main` ← **Head:** `feat/k8s` --- ### 📝 Commits (1) - [`548cbbf`](https://github.com/certimate-go/certimate/commit/548cbbfdd48ed1b47328ca3fed2eb670f83e2959) feat: k8s部署支持ServiceAccount权限 ### 📊 Changes **4 files changed** (+22 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `internal/deployer/k8s_secret.go` (+17 -9) 📝 `ui/src/components/certimate/AccessKubernetesForm.tsx` (+2 -1) 📝 `ui/src/i18n/locales/en/nls.access.json` (+2 -2) 📝 `ui/src/i18n/locales/zh/nls.access.json` (+1 -1) </details> ### 📄 Description 使部署在k8s中的 `certimate` 没有 `kubeconfig` 也可以部署证书。 k8s部署的 `certimate` Pod 需要有写 Secret 权限的 ServiceAccount, 如下 ```yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: certimate rules: - apiGroups: [""] resources: - secrets verbs: - get - create - update --- apiVersion: v1 kind: ServiceAccount metadata: name: certimate namespace: default labels: app: certimate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: certimate subjects: - kind: ServiceAccount name: certimate namespace: default roleRef: kind: ClusterRole name: certimate apiGroup: rbac.authorization.k8s.io --- kind: Deployment apiVersion: apps/v1 metadata: labels: app: certimate name: certimate spec: selector: matchLabels: app: certimate template: metadata: labels: app: certimate spec: serviceAccount: certimate serviceAccountName: certimate containers: - name: certimate image: registry.cn-shanghai.aliyuncs.com/usual2970/certimate:latest ports: - containerPort: 8090 protocol: TCP volumeMounts: - mountPath: /app/pb_data name: volume-data volumes: - name: volume-data persistentVolumeClaim: claimName: certimate-pvc ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>