From 006d96ab927362361779e940f814858d324453be Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Tue, 6 Oct 2020 10:12:29 -0400 Subject: [PATCH] supervisor-oidc: create dynamic config in YTT templates Signed-off-by: Andrew Keesler --- deploy-supervisor/deployment.yaml | 23 +++++++++++++++++++++++ deploy-supervisor/values.yaml | 6 ++++++ hack/prepare-for-integration-tests.sh | 6 +++++- 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/deploy-supervisor/deployment.yaml b/deploy-supervisor/deployment.yaml index cd4079c8..bb2f0956 100644 --- a/deploy-supervisor/deployment.yaml +++ b/deploy-supervisor/deployment.yaml @@ -30,6 +30,29 @@ data: names: dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @) --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: #@ data.values.app_name + "-dynamic-config" + namespace: #@ data.values.namespace + labels: + app: #@ data.values.app_name +data: + issuer: #@ data.values.issuer_url +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: #@ data.values.app_name + "-static-config" + namespace: #@ data.values.namespace + labels: + app: #@ data.values.app_name +data: + #@yaml/text-templated-strings + pinniped.yaml: | + names: + dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @) +--- #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": apiVersion: v1 kind: Secret diff --git a/deploy-supervisor/values.yaml b/deploy-supervisor/values.yaml index 6df6efe9..ec0430a9 100644 --- a/deploy-supervisor/values.yaml +++ b/deploy-supervisor/values.yaml @@ -20,3 +20,9 @@ image_tag: latest #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' #! Optional. image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}} + +#! Specifies the base URL used in the endpoint fields (e.g., authorization_endpoint, jwks_url, etc.) +#! of the OpenID Provider Metadata, as well as the value of the iss JWT claim that will be used by +#! this OIDC provider. Per the OIDC Discovery spec, this URL must use the HTTPS scheme. See +#! https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3. +issuer_url: #! e.g., https://auth.my-org.com diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index 05f94288..f5d5073f 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -177,12 +177,16 @@ kubectl create secret generic "$test_username" \ # # Deploy the Pinniped Supervisor # +issuer_url=https://todo.what-should-this-be + pushd deploy-supervisor >/dev/null log_note "Deploying the Pinniped Supervisor app to the cluster..." ytt --file . \ --data-value "image_repo=$registry_repo" \ - --data-value "image_tag=$tag" >"$manifest" + --data-value "image_tag=$tag" \ + --data-value "issuer_url=$issuer_url" \ + >"$manifest" kapp deploy --yes --app "pinniped-supervisor" --diff-changes --file "$manifest"