supervisor-oidc: create dynamic config in YTT templates

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 10:12:29 -04:00 · 2020-10-06 10:12:29 -04:00 · 006d96ab92
commit 006d96ab92
parent fd6a7f5892
3 changed files with 34 additions and 1 deletions
--- a/deploy-supervisor/deployment.yaml
+++ b/deploy-supervisor/deployment.yaml
@ -30,6 +30,29 @@ data:
    names:
      dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @)
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: #@ data.values.app_name + "-dynamic-config"
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+data:
+  issuer: #@ data.values.issuer_url
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: #@ data.values.app_name + "-static-config"
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+data:
+  #@yaml/text-templated-strings
+  pinniped.yaml: |
+    names:
+      dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @)
+---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
 kind: Secret
--- a/deploy-supervisor/values.yaml
+++ b/deploy-supervisor/values.yaml
@ -20,3 +20,9 @@ image_tag: latest
 #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 #! Optional.
 image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+
+#! Specifies the base URL used in the endpoint fields (e.g., authorization_endpoint, jwks_url, etc.)
+#! of the OpenID Provider Metadata, as well as the value of the iss JWT claim that will be used by
+#! this OIDC provider. Per the OIDC Discovery spec, this URL must use the HTTPS scheme. See
+#! https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3.
+issuer_url: #! e.g., https://auth.my-org.com
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@ -177,12 +177,16 @@ kubectl create secret generic "$test_username" \
 #
 # Deploy the Pinniped Supervisor
 #
+issuer_url=https://todo.what-should-this-be
+
 pushd deploy-supervisor >/dev/null

 log_note "Deploying the Pinniped Supervisor app to the cluster..."
 ytt --file . \
  --data-value "image_repo=$registry_repo" \
-  --data-value "image_tag=$tag" >"$manifest"
+  --data-value "image_tag=$tag" \
+  --data-value "issuer_url=$issuer_url" \
+  >"$manifest"

 kapp deploy --yes --app "pinniped-supervisor" --diff-changes --file "$manifest"