chore: document ignore-non-system-node and add to helm chart

postfinance · Jun 29, 2022 · 156e4c3 · 156e4c3
1 parent decc89a
commit 156e4c3
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -39,7 +39,8 @@ variables) are:
   Per default it is hardcoded to a maximum of 367 days, and can be reduced with
   this parameter.
 * `--bypass-dns-resolution` or `BYPASS_DNS_RESOLUTION` permits to bypass DNS resolution
-  check. the default value of the boolean is false, and you can enable it by
+  check. \
+  the default value of the boolean is false, and you can enable it by
   setting it to `true` (or any other option listed in GoLang's
   [`ParseBool`](https://github.com/golang/go/blob/master/src/strconv/atob.go#L10)
   function)
@@ -48,6 +49,10 @@ variables) are:
   addresses shall fall into. left unspecified, all IP addresses are allowed. \
   you can for example set it to `192.168.0.0/16,fc00::/7` if this reflects your
   local network IP ranges.
+* `--ignore-non-system-node` or `IGNORE_NON_SYSTEM_NODE` permits ignoring CSRs
+  with a _Username_ different than `system:node:......`. \
+  the default value of the boolean is false, and if you want to use this feature
+  you need to set this flag to `true`
 
 It is important to understand that the node DNS name needs to be
 resolvable for the `kubelet-csr-approver` to work properly. If this is an issue

diff --git a/charts/kubelet-csr-approver/Chart.yaml b/charts/kubelet-csr-approver/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubelet-csr-approver
 description: Kubelet CSR Approver
 type: application
-version: 0.2.2
+version: 0.2.3
 appVersion: v0.2.2
 maintainers:
   - name: clementnuss

diff --git a/charts/kubelet-csr-approver/templates/deployment.yaml b/charts/kubelet-csr-approver/templates/deployment.yaml
@@ -60,6 +60,10 @@ spec:
             - name: BYPASS_DNS_RESOLUTION
               value: {{ .Values.bypassDnsResolution | quote }}
           {{- end }}
+          {{- if .Values.ignoreNonSystemNode}}
+            - name: IGNORE_NON_SYSTEM_NODE
+              value: {{ .Values.ignoreNonSystemNode | quote }}
+          {{- end }}
           {{- with .Values.env }}
             {{ toYaml . | nindent 12 }}
           {{- end }}

diff --git a/charts/kubelet-csr-approver/values.yaml b/charts/kubelet-csr-approver/values.yaml
@@ -4,6 +4,8 @@ providerRegex: ""
 maxExpirationSeconds: ""
 # optional, permits to bypass dns resolution checks. default: false
 bypassDnsResolution: false
+# optional, permits ignoring CSRs with another Username than `system:node:...`
+ignoreNonSystemNode: false
 # optional, list of IP (IPv4, IPv6) subnets that are allowed to submit CSRs
 providerIpPrefixes: []
 #   - 192.168.8.0/22