ContainerImage.Pinniped/deploy/deployment.yaml

#@ load("@ytt:data", "data")

---
apiVersion: v1
kind: Namespace
metadata:
  name: #@ data.values.namespace
  labels:
    name: #@ data.values.namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: #@ data.values.app_name + "-service-account"
  namespace: #@ data.values.namespace
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: #@ data.values.app_name + "-config"
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
data:
  #@yaml/text-templated-strings
  placeholder-name.yaml: |
    discovery:
      url: (@= data.values.discovery_url or "null" @)
    webhook:
      url: (@= data.values.webhook_url @)
      caBundle: (@= data.values.webhook_ca_bundle @)
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1
kind: Secret
metadata:
  name: image-pull-secret
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
#@ end
---
#! TODO set up healthy, ready, etc. probes correctly?
#! TODO set resource minimums (e.g. 512MB RAM) to make sure we get scheduled onto a reasonable node?
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: #@ data.values.app_name
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
spec:
  selector:
    matchLabels:
      app: #@ data.values.app_name
  template:
    metadata:
      labels:
        app: #@ data.values.app_name
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      serviceAccountName: #@ data.values.app_name + "-service-account"
      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
      imagePullSecrets:
        - name: image-pull-secret
      #@ end
      containers:
        - name: placeholder-name
          #@ if data.values.image_digest:
          image:  #@ data.values.image_repo + "@" + data.values.image_digest
          #@ else:
          image: #@ data.values.image_repo + ":" + data.values.image_tag
          #@ end
          imagePullPolicy: IfNotPresent
          args:
            - --config=/etc/config/placeholder-name.yaml
            - --downward-api-path=/etc/podinfo
            - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
            - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
            - name: podinfo
              mountPath: /etc/podinfo
            - name: k8s-certs
              mountPath: /etc/kubernetes/pki
          livenessProbe:
            httpGet:
              path: /healthz
              port: 443
              scheme: HTTPS
            initialDelaySeconds: 20
            timeoutSeconds: 15
            periodSeconds: 10
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /healthz
              port: 443
              scheme: HTTPS
            initialDelaySeconds: 20
            timeoutSeconds: 3
            periodSeconds: 10
            failureThreshold: 3
      volumes:
        - name: config-volume
          configMap:
            name: #@ data.values.app_name + "-config"
        - name: podinfo
          downwardAPI:
            items:
              - path: "labels"
                fieldRef:
                  fieldPath: metadata.labels
              - path: "namespace"
                fieldRef:
                  fieldPath: metadata.namespace
        - name: k8s-certs
          hostPath:
            path: /etc/kubernetes/pki
            type: DirectoryOrCreate
      nodeSelector: #! Create Pods on all nodes which match this node selector, and not on any other nodes.
        node-role.kubernetes.io/master: ""
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - key: node-role.kubernetes.io/master #! Allow running on master nodes.
          effect: NoSchedule
      #! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,
      #! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).
      #!priorityClassName: system-cluster-critical
---
apiVersion: v1
kind: Service
metadata:
  name: placeholder-name-api #! the golang code assumes this specific name as part of the common name during cert generation
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
spec:
  type: ClusterIP
  selector:
    app: #@ data.values.app_name
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.placeholder.suzerain-io.github.io
  labels:
    app: #@ data.values.app_name
spec:
  version: v1alpha1
  group: placeholder.suzerain-io.github.io
  groupPriorityMinimum: 2500 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io
  versionPriority: 10 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io
  #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
  service:
    name: placeholder-name-api
    namespace: #@ data.values.namespace
    port: 443
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`#@ load("@ytt:data", "data")`

			`---`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: #@ data.values.namespace`
			`labels:`
			`name: #@ data.values.namespace`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`---`
			`apiVersion: v1`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`kind: ServiceAccount`
			`metadata:`
			`name: #@ data.values.app_name + "-service-account"`
			`namespace: #@ data.values.namespace`
			`---`
			`apiVersion: v1`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`kind: ConfigMap`
			`metadata:`
			`name: #@ data.values.app_name + "-config"`
			`namespace: #@ data.values.namespace`
			`labels:`
			`app: #@ data.values.app_name`
			`data:`
Fix string templating in YAML config. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:58:28 +00:00			`#@yaml/text-templated-strings`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`placeholder-name.yaml: \|`
Allow override of discovery URL via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com> - Seems like the next step is to allow override of the CA bundle; I didn't do that here for simplicity of the commit, but seems like it is the right thing to do in the future. 2020-08-03 14:17:11 +00:00			`discovery:`
Use rest.Config for discovery URL instead of env var - Why? Because the discovery URL is already there in the kubeconfig; let's not make our lives more complicated by passing it in via an env var. - Also allow for ytt callers to not specify data.values.discovery_url - there are going to be a non-trivial number of installers of placeholder-name that want to use the server URL found in the cluster-info ConfigMap. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-03 18:36:08 +00:00			`url: (@= data.values.discovery_url or "null" @)`
deployment.yaml: update config file format Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-14 16:38:43 +00:00			`webhook:`
			`url: (@= data.values.webhook_url @)`
			`caBundle: (@= data.values.webhook_ca_bundle @)`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`---`
Add image pull secret as a data value for our ytt templates Signed-off-by: Aram Price <pricear@vmware.com> 2020-08-13 00:02:43 +00:00			`#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: image-pull-secret`
			`namespace: #@ data.values.namespace`
			`labels:`
			`app: #@ data.values.app_name`
Set the `type` on the image pull `Secret` Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-13 20:34:23 +00:00			`type: kubernetes.io/dockerconfigjson`
Add image pull secret as a data value for our ytt templates Signed-off-by: Aram Price <pricear@vmware.com> 2020-08-13 00:02:43 +00:00			`data:`
			`.dockerconfigjson: #@ data.values.image_pull_dockerconfigjson`
			`#@ end`
			`---`
Use a DaemonSet instead of a Deployment to deploy our app - For high availability reasons, we would like our app to scale linearly with the size of the control plane. Using a DaemonSet allows us to run one pod on each node-role.kubernetes.io/master node. - The hope is that the Service that we create should load balance between these pods appropriately. 2020-08-12 00:55:34 +00:00			`#! TODO set up healthy, ready, etc. probes correctly?`
			`#! TODO set resource minimums (e.g. 512MB RAM) to make sure we get scheduled onto a reasonable node?`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`apiVersion: apps/v1`
Use a DaemonSet instead of a Deployment to deploy our app - For high availability reasons, we would like our app to scale linearly with the size of the control plane. Using a DaemonSet allows us to run one pod on each node-role.kubernetes.io/master node. - The hope is that the Service that we create should load balance between these pods appropriately. 2020-08-12 00:55:34 +00:00			`kind: DaemonSet`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`metadata:`
Use a DaemonSet instead of a Deployment to deploy our app - For high availability reasons, we would like our app to scale linearly with the size of the control plane. Using a DaemonSet allows us to run one pod on each node-role.kubernetes.io/master node. - The hope is that the Service that we create should load balance between these pods appropriately. 2020-08-12 00:55:34 +00:00			`name: #@ data.values.app_name`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`namespace: #@ data.values.namespace`
			`labels:`
			`app: #@ data.values.app_name`
			`spec:`
			`selector:`
			`matchLabels:`
			`app: #@ data.values.app_name`
			`template:`
			`metadata:`
			`labels:`
			`app: #@ data.values.app_name`
Indent pod template annotations correctly in deployment.yaml Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-08-04 21:34:10 +00:00			`annotations:`
			`scheduler.alpha.kubernetes.io/critical-pod: ""`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`spec:`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`serviceAccountName: #@ data.values.app_name + "-service-account"`
Add image pull secret as a data value for our ytt templates Signed-off-by: Aram Price <pricear@vmware.com> 2020-08-13 00:02:43 +00:00			`#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":`
			`imagePullSecrets:`
			`- name: image-pull-secret`
			`#@ end`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`containers:`
			`- name: placeholder-name`
Allow optionally using a tag instead of a digest in deployment.yaml 2020-07-09 17:16:46 +00:00			`#@ if data.values.image_digest:`
Example deployment Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-07-07 20:17:34 +00:00			`image: #@ data.values.image_repo + "@" + data.values.image_digest`
Allow optionally using a tag instead of a digest in deployment.yaml 2020-07-09 17:16:46 +00:00			`#@ else:`
			`image: #@ data.values.image_repo + ":" + data.values.image_tag`
			`#@ end`
Set imagePullPolicy to prevent defaulting Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 04:39:56 +00:00			`imagePullPolicy: IfNotPresent`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`args:`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`- --config=/etc/config/placeholder-name.yaml`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`- --downward-api-path=/etc/podinfo`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt`
			`- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`volumeMounts:`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`- name: config-volume`
			`mountPath: /etc/config`
			`- name: podinfo`
			`mountPath: /etc/podinfo`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`- name: k8s-certs`
			`mountPath: /etc/kubernetes/pki`
Implement basic liveness and readiness probes - Call the auto-generated /healthz endpoint of our aggregated API server - Use http for liveness even though tcp seems like it might be more appropriate, because tcp probes cause TLS handshake errors to appear in our logs every few seconds - Use conservative timeouts and retries on the liveness probe to avoid having our container get restarted when it is temporarily slow due to running in an environment under resource pressure - Use less conservative timeouts and retries for the readiness probe to remove an unhealthy pod from the service less conservatively than restarting the container - Tuning the settings for retries and timeouts seem to be a mysterious art, so these are just a first draft 2020-08-17 23:44:42 +00:00			`livenessProbe:`
			`httpGet:`
			`path: /healthz`
			`port: 443`
			`scheme: HTTPS`
			`initialDelaySeconds: 20`
			`timeoutSeconds: 15`
			`periodSeconds: 10`
			`failureThreshold: 5`
			`readinessProbe:`
			`httpGet:`
			`path: /healthz`
			`port: 443`
			`scheme: HTTPS`
			`initialDelaySeconds: 20`
			`timeoutSeconds: 3`
			`periodSeconds: 10`
			`failureThreshold: 3`
Add an example config to ./deploy resources. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-09 16:42:31 +00:00			`volumes:`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`- name: config-volume`
			`configMap:`
			`name: #@ data.values.app_name + "-config"`
Refactor app.go and wire in autoregistration. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-16 19:24:30 +00:00			`- name: podinfo`
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-17 21:42:02 +00:00			`downwardAPI:`
			`items:`
			`- path: "labels"`
			`fieldRef:`
			`fieldPath: metadata.labels`
			`- path: "namespace"`
			`fieldRef:`
			`fieldPath: metadata.namespace`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`- name: k8s-certs`
			`hostPath:`
			`path: /etc/kubernetes/pki`
			`type: DirectoryOrCreate`
Use a DaemonSet instead of a Deployment to deploy our app - For high availability reasons, we would like our app to scale linearly with the size of the control plane. Using a DaemonSet allows us to run one pod on each node-role.kubernetes.io/master node. - The hope is that the Service that we create should load balance between these pods appropriately. 2020-08-12 00:55:34 +00:00			`nodeSelector: #! Create Pods on all nodes which match this node selector, and not on any other nodes.`
Add "--cluster-signing-*-file" flags pointing at a host volume mount. This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates. The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-24 20:41:51 +00:00			`node-role.kubernetes.io/master: ""`
			`tolerations:`
Use a DaemonSet instead of a Deployment to deploy our app - For high availability reasons, we would like our app to scale linearly with the size of the control plane. Using a DaemonSet allows us to run one pod on each node-role.kubernetes.io/master node. - The hope is that the Service that we create should load balance between these pods appropriately. 2020-08-12 00:55:34 +00:00			`- key: CriticalAddonsOnly`
			`operator: Exists`
			`- key: node-role.kubernetes.io/master #! Allow running on master nodes.`
			`effect: NoSchedule`
			`#! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,`
			`#! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).`
			`#!priorityClassName: system-cluster-critical`
Fix a garbage collection bug - Previously the golang code would create a Service and an APIService. The APIService would be given an owner reference which pointed to the namespace in which the app was installed. - This prevented the app from being uninstalled. The namespace would refuse to delete, so `kapp delete` or `kubectl delete` would fail. - The new approach is to statically define the Service and an APIService in the deployment.yaml, except for the caBundle of the APIService. Then the golang code will perform an update to add the caBundle at runtime. - When the user uses `kapp deploy` or `kubectl apply` either tool will notice that the caBundle is not declared in the yaml and will therefore avoid editing that field. - When the user uses `kapp delete` or `kubectl delete` either tool will destroy the objects because they are statically declared with names in the yaml, just like all of the other objects. There are no ownerReferences used, so nothing should prevent the namespace from being deleted. - This approach also allows us to have less golang code to maintain. - In the future, if our golang controllers want to dynamically add an Ingress or other objects, they can still do that. An Ingress would point to our statically defined Service as its backend. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-04 23:46:27 +00:00			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: placeholder-name-api #! the golang code assumes this specific name as part of the common name during cert generation`
			`namespace: #@ data.values.namespace`
			`labels:`
			`app: #@ data.values.app_name`
			`spec:`
			`type: ClusterIP`
			`selector:`
			`app: #@ data.values.app_name`
			`ports:`
			`- protocol: TCP`
			`port: 443`
			`targetPort: 443`
			`---`
			`apiVersion: apiregistration.k8s.io/v1`
			`kind: APIService`
			`metadata:`
			`name: v1alpha1.placeholder.suzerain-io.github.io`
			`labels:`
			`app: #@ data.values.app_name`
			`spec:`
			`version: v1alpha1`
			`group: placeholder.suzerain-io.github.io`
			`groupPriorityMinimum: 2500 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io`
			`versionPriority: 10 #! TODO what is the right value? https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#apiservicespec-v1beta1-apiregistration-k8s-io`
			`#! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.`
			`service:`
			`name: placeholder-name-api`
			`namespace: #@ data.values.namespace`
			`port: 443`