ContainerImage.Pinniped/deploy/deployment.yaml

#@ load("@ytt:data", "data")

---
apiVersion: v1
kind: Namespace
metadata:
  name: #@ data.values.namespace
  labels:
    name: #@ data.values.namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: #@ data.values.app_name + "-service-account"
  namespace: #@ data.values.namespace
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: #@ data.values.app_name + "-config"
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
data:
  #@yaml/text-templated-strings
  placeholder-name.yaml: |
    discovery:
      url: (@= data.values.discovery_url or "null" @)
    webhook:
      url: (@= data.values.webhook_url @)
      caBundle: (@= data.values.webhook_ca_bundle @)
---
#! TODO set up healthy, ready, etc. probes correctly for our deployment
#! TODO set the priority-critical-urgent on our deployment to ask kube to never let it die
#! TODO set resource minimums (e.g. 512MB RAM) on the deployment to make sure we get scheduled onto a reasonable node
apiVersion: apps/v1
kind: Deployment
metadata:
  name: #@ data.values.app_name + "-deployment"
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
spec:
  replicas: 1 #! TODO more than one replica for high availability, and share the same serving certificate among them (maybe using client-go leader election)
  selector:
    matchLabels:
      app: #@ data.values.app_name
  template:
    metadata:
      labels:
        app: #@ data.values.app_name
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      serviceAccountName: #@ data.values.app_name + "-service-account"
      containers:
        - name: placeholder-name
          #@ if data.values.image_digest:
          image:  #@ data.values.image_repo + "@" + data.values.image_digest
          #@ else:
          image: #@ data.values.image_repo + ":" + data.values.image_tag
          #@ end
          imagePullPolicy: IfNotPresent
          command:
            - ./placeholder-name-server
          args:
            - --config=/etc/config/placeholder-name.yaml
            - --downward-api-path=/etc/podinfo
            - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
            - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
            - name: podinfo
              mountPath: /etc/podinfo
            - name: k8s-certs
              mountPath: /etc/kubernetes/pki
      volumes:
        - name: config-volume
          configMap:
            name: #@ data.values.app_name + "-config"
        - name: podinfo
          downwardAPI:
            items:
              - path: "labels"
                fieldRef:
                  fieldPath: metadata.labels
              - path: "namespace"
                fieldRef:
                  fieldPath: metadata.namespace
        - name: k8s-certs
          hostPath:
            path: /etc/kubernetes/pki
            type: DirectoryOrCreate
      #! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,
      #! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).
      #! priorityClassName: system-cluster-critical
      nodeSelector:
        node-role.kubernetes.io/master: ""
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
---
apiVersion: v1
kind: Service
metadata:
  name: placeholder-name-api #! the golang code assumes this specific name as part of the common name during cert generation
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
spec:
  type: ClusterIP
  selector:
    app: #@ data.values.app_name
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.placeholder.suzerain-io.github.io
  labels:
    app: #@ data.values.app_name
spec:
  version: v1alpha1
  group: placeholder.suzerain-io.github.io
  groupPriorityMinimum: 2500 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io
  versionPriority: 10 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io
  #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
  service:
    name: placeholder-name-api
    namespace: #@ data.values.namespace
    port: 443
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`#@ load("@ytt:data", "data")`

			`---`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: #@ data.values.namespace`
			`labels:`
			`name: #@ data.values.namespace`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`---`
			`apiVersion: v1`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`kind: ServiceAccount`
			`metadata:`
			`name: #@ data.values.app_name + "-service-account"`
			`namespace: #@ data.values.namespace`
			`---`
			`apiVersion: v1`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`kind: ConfigMap`
			`metadata:`
			`name: #@ data.values.app_name + "-config"`
			`namespace: #@ data.values.namespace`
			`labels:`
			`app: #@ data.values.app_name`
			`data:`
Fix string templating in YAML config. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:58:28 +00:00			`#@yaml/text-templated-strings`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`placeholder-name.yaml: \|`
Allow override of discovery URL via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com> - Seems like the next step is to allow override of the CA bundle; I didn't do that here for simplicity of the commit, but seems like it is the right thing to do in the future. 2020-08-03 14:17:11 +00:00			`discovery:`
Use rest.Config for discovery URL instead of env var - Why? Because the discovery URL is already there in the kubeconfig; let's not make our lives more complicated by passing it in via an env var. - Also allow for ytt callers to not specify data.values.discovery_url - there are going to be a non-trivial number of installers of placeholder-name that want to use the server URL found in the cluster-info ConfigMap. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-03 18:36:08 +00:00			`url: (@= data.values.discovery_url or "null" @)`
deployment.yaml: update config file format Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-14 16:38:43 +00:00			`webhook:`
			`url: (@= data.values.webhook_url @)`
			`caBundle: (@= data.values.webhook_ca_bundle @)`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`---`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`#! TODO set up healthy, ready, etc. probes correctly for our deployment`
			`#! TODO set the priority-critical-urgent on our deployment to ask kube to never let it die`
			`#! TODO set resource minimums (e.g. 512MB RAM) on the deployment to make sure we get scheduled onto a reasonable node`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: #@ data.values.app_name + "-deployment"`
			`namespace: #@ data.values.namespace`
			`labels:`
			`app: #@ data.values.app_name`
			`spec:`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`replicas: 1 #! TODO more than one replica for high availability, and share the same serving certificate among them (maybe using client-go leader election)`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`selector:`
			`matchLabels:`
			`app: #@ data.values.app_name`
			`template:`
			`metadata:`
			`labels:`
			`app: #@ data.values.app_name`
Indent pod template annotations correctly in deployment.yaml Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-08-04 21:34:10 +00:00			`annotations:`
			`scheduler.alpha.kubernetes.io/critical-pod: ""`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`spec:`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`serviceAccountName: #@ data.values.app_name + "-service-account"`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`containers:`
			`- name: placeholder-name`
Allow optionally using a tag instead of a digest in deployment.yaml 2020-07-09 17:16:46 +00:00			`#@ if data.values.image_digest:`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`image: #@ data.values.image_repo + "@" + data.values.image_digest`
Allow optionally using a tag instead of a digest in deployment.yaml 2020-07-09 17:16:46 +00:00			`#@ else:`
			`image: #@ data.values.image_repo + ":" + data.values.image_tag`
			`#@ end`
Set imagePullPolicy to prevent defaulting Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 04:39:56 +00:00			`imagePullPolicy: IfNotPresent`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`command:`
Change the name of the placeholder-name CLI to placeholder-name-server Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-27 20:32:14 +00:00			`- ./placeholder-name-server`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`args:`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`- --config=/etc/config/placeholder-name.yaml`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`- --downward-api-path=/etc/podinfo`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt`
			`- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`volumeMounts:`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`- name: config-volume`
			`mountPath: /etc/config`
			`- name: podinfo`
			`mountPath: /etc/podinfo`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`- name: k8s-certs`
			`mountPath: /etc/kubernetes/pki`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`volumes:`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`- name: config-volume`
			`configMap:`
			`name: #@ data.values.app_name + "-config"`
Refactor app.go and wire in autoregistration. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-16 19:24:30 +00:00			`- name: podinfo`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`downwardAPI:`
			`items:`
			`- path: "labels"`
			`fieldRef:`
			`fieldPath: metadata.labels`
			`- path: "namespace"`
			`fieldRef:`
			`fieldPath: metadata.namespace`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`- name: k8s-certs`
			`hostPath:`
			`path: /etc/kubernetes/pki`
			`type: DirectoryOrCreate`
Work around k8s 1.16 limitations of priorityClassName. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-27 14:22:39 +00:00			`#! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,`
			`#! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).`
			`#! priorityClassName: system-cluster-critical`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`nodeSelector:`
			`node-role.kubernetes.io/master: ""`
			`tolerations:`
			`- key: CriticalAddonsOnly`
			`operator: Exists`
			`- effect: NoSchedule`
			`key: node-role.kubernetes.io/master`
Fix a garbage collection bug - Previously the golang code would create a Service and an APIService. The APIService would be given an owner reference which pointed to the namespace in which the app was installed. - This prevented the app from being uninstalled. The namespace would refuse to delete, so `kapp delete` or `kubectl delete` would fail. - The new approach is to statically define the Service and an APIService in the deployment.yaml, except for the caBundle of the APIService. Then the golang code will perform an update to add the caBundle at runtime. - When the user uses `kapp deploy` or `kubectl apply` either tool will notice that the caBundle is not declared in the yaml and will therefore avoid editing that field. - When the user uses `kapp delete` or `kubectl delete` either tool will destroy the objects because they are statically declared with names in the yaml, just like all of the other objects. There are no ownerReferences used, so nothing should prevent the namespace from being deleted. - This approach also allows us to have less golang code to maintain. - In the future, if our golang controllers want to dynamically add an Ingress or other objects, they can still do that. An Ingress would point to our statically defined Service as its backend. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-04 23:46:27 +00:00			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: placeholder-name-api #! the golang code assumes this specific name as part of the common name during cert generation`
			`namespace: #@ data.values.namespace`
			`labels:`
			`app: #@ data.values.app_name`
			`spec:`
			`type: ClusterIP`
			`selector:`
			`app: #@ data.values.app_name`
			`ports:`
			`- protocol: TCP`
			`port: 443`
			`targetPort: 443`
			`---`
			`apiVersion: apiregistration.k8s.io/v1`
			`kind: APIService`
			`metadata:`
			`name: v1alpha1.placeholder.suzerain-io.github.io`
			`labels:`
			`app: #@ data.values.app_name`
			`spec:`
			`version: v1alpha1`
			`group: placeholder.suzerain-io.github.io`
			`groupPriorityMinimum: 2500 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io`
			`versionPriority: 10 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io`
			`#! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.`
			`service:`
			`name: placeholder-name-api`
			`namespace: #@ data.values.namespace`
			`port: 443`