Support installing concierge and supervisor into existing namespace

- New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 15:05:42 -07:00 · 2020-10-14 15:05:42 -07:00 · 1301018655
commit 1301018655
parent cd970616da
12 changed files with 274 additions and 158 deletions
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@ -2,28 +2,30 @@
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:data", "data")
 #@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
 #@ if not data.values.into_namespace:
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: #@ data.values.namespace
-  labels:
+  labels: #@ labels()
-    name: #@ data.values.namespace
+#@ end
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
  labels: #@ labels()
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: #@ data.values.app_name + "-config"
+  name: #@ defaultResourceNameWithSuffix("config")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 data:
  #! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below.
  #@yaml/text-templated-strings
@ -35,11 +37,11 @@ data:
        durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
        renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
    names:
-      servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @)
+      servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
-      credentialIssuerConfig: (@= data.values.app_name + "-config" @)
+      credentialIssuerConfig: (@= defaultResourceNameWithSuffix("config") @)
-      apiService: (@= data.values.app_name + "-api" @)
+      apiService: (@= defaultResourceNameWithSuffix("api") @)
    kubeCertAgent:
-      namePrefix: (@= data.values.app_name + "-kube-cert-agent-" @)
+      namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
      (@ if data.values.kube_cert_agent_image: @)
      image: (@= data.values.kube_cert_agent_image @)
      (@ else: @)
@ -59,9 +61,8 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: image-pull-secret
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
@ -70,29 +71,26 @@ data:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 spec:
  replicas: #@ data.values.replicas
  selector:
-    matchLabels:
+    matchLabels: #@ defaultLabel()
      app: #@ data.values.app_name
  template:
    metadata:
-      labels:
+      labels: #@ defaultLabel()
        app: #@ data.values.app_name
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
-      serviceAccountName: #@ data.values.app_name
+      serviceAccountName: #@ defaultResourceName()
      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
      imagePullSecrets:
        - name: image-pull-secret
      #@ end
      containers:
-        - name: pinniped
+        - name: #@ defaultResourceName()
          #@ if data.values.image_digest:
          image:  #@ data.values.image_repo + "@" + data.values.image_digest
          #@ else:
@ -131,7 +129,7 @@ spec:
      volumes:
        - name: config-volume
          configMap:
-            name: #@ data.values.app_name + "-config"
+            name: #@ defaultResourceNameWithSuffix("config")
        - name: podinfo
          downwardAPI:
            items:
@ -157,22 +155,19 @@ spec:
            - weight: 50
              podAffinityTerm:
                labelSelector:
-                  matchLabels:
+                  matchLabels: #@ defaultLabel()
                    app: #@ data.values.app_name
                topologyKey: kubernetes.io/hostname
 ---
 apiVersion: v1
 kind: Service
 metadata:
  #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below.
-  name: #@ data.values.app_name + "-api"
+  name: #@ defaultResourceNameWithSuffix("api")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 spec:
  type: ClusterIP
-  selector:
+  selector: #@ defaultLabel()
    app: #@ data.values.app_name
  ports:
    - protocol: TCP
      port: 443
@ -182,8 +177,7 @@ apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
  name: v1alpha1.login.pinniped.dev
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 spec:
  version: v1alpha1
  group: login.pinniped.dev
@ -191,6 +185,6 @@ spec:
  versionPriority: 10
  #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
  service:
-    name: #@ data.values.app_name + "-api"
+    name: #@ defaultResourceNameWithSuffix("api")
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
    port: 443
--- a/deploy/concierge/helpers.lib.yaml
+++ b/deploy/concierge/helpers.lib.yaml
@ -0,0 +1,30 @@
 #! Copyright 2020 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:data", "data")
 #@ load("@ytt:template", "template")
 #@ def defaultResourceName():
 #@   return data.values.app_name
 #@ end
 #@ def defaultResourceNameWithSuffix(suffix):
 #@   return data.values.app_name + "-" + suffix
 #@ end
 #@ def namespace():
 #@   if data.values.into_namespace:
 #@     return data.values.into_namespace
 #@   else:
 #@     return data.values.namespace
 #@   end
 #@ end
 #@ def defaultLabel():
 app: #@ data.values.app_name
 #@ end
 #@ def labels():
 _: #@ template.replace(defaultLabel())
 _: #@ template.replace(data.values.custom_labels)
 #@ end
--- a/deploy/concierge/rbac.yaml
+++ b/deploy/concierge/rbac.yaml
@ -2,13 +2,15 @@
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:data", "data")
 #@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
 #! Give permission to various cluster-scoped objects
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: #@ data.values.app_name + "-aggregated-api-server"
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  labels: #@ labels()
 rules:
  - apiGroups: [ "" ]
    resources: [ namespaces ]
@ -23,14 +25,15 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-aggregated-api-server"
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  labels: #@ labels()
 subjects:
  - kind: ServiceAccount
-    name: #@ data.values.app_name
+    name: #@ defaultResourceName()
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
 roleRef:
  kind: ClusterRole
-  name: #@ data.values.app_name + "-aggregated-api-server"
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  apiGroup: rbac.authorization.k8s.io
 #! Give permission to various objects within the app's own namespace
@ -38,8 +41,9 @@ roleRef:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: #@ data.values.app_name + "-aggregated-api-server"
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
  labels: #@ labels()
 rules:
  - apiGroups: [ "" ]
    resources: [ services ]
@ -62,15 +66,16 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-aggregated-api-server"
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
  labels: #@ labels()
 subjects:
  - kind: ServiceAccount
-    name: #@ data.values.app_name
+    name: #@ defaultResourceName()
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
 roleRef:
  kind: Role
-  name: #@ data.values.app_name + "-aggregated-api-server"
+  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  apiGroup: rbac.authorization.k8s.io
 #! Give permission to read pods in the kube-system namespace so we can find the API server's private key
@ -78,8 +83,9 @@ roleRef:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: #@ data.values.app_name + "-kube-system-pod-read"
+  name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
  namespace: kube-system
  labels: #@ labels()
 rules:
  - apiGroups: [ "" ]
    resources: [ pods ]
@ -88,15 +94,16 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-kube-system-pod-read"
+  name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
  namespace: kube-system
  labels: #@ labels()
 subjects:
  - kind: ServiceAccount
-    name: #@ data.values.app_name
+    name: #@ defaultResourceName()
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
 roleRef:
  kind: Role
-  name: #@ data.values.app_name + "-kube-system-pod-read"
+  name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
  apiGroup: rbac.authorization.k8s.io
 #! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
@ -104,7 +111,8 @@ roleRef:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: #@ data.values.app_name + "-create-token-credential-requests"
+  name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
  labels: #@ labels()
 rules:
  - apiGroups: [ login.pinniped.dev ]
    resources: [ tokencredentialrequests ]
@ -113,7 +121,8 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-create-token-credential-requests"
+  name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
  labels: #@ labels()
 subjects:
  - kind: Group
    name: system:authenticated
@ -123,7 +132,7 @@ subjects:
    apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
-  name: #@ data.values.app_name + "-create-token-credential-requests"
+  name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
  apiGroup: rbac.authorization.k8s.io
 #! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
@ -131,12 +140,13 @@ roleRef:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
  labels: #@ labels()
 subjects:
  - kind: ServiceAccount
-    name: #@ data.values.app_name
+    name: #@ defaultResourceName()
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
 roleRef:
  kind: ClusterRole
  name: system:auth-delegator
@ -147,12 +157,13 @@ roleRef:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-extension-apiserver-authentication-reader"
+  name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader")
  namespace: kube-system
  labels: #@ labels()
 subjects:
  - kind: ServiceAccount
-    name: #@ data.values.app_name
+    name: #@ defaultResourceName()
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
 roleRef:
  kind: Role
  name: extension-apiserver-authentication-reader
@ -163,8 +174,9 @@ roleRef:
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-cluster-info-lister-watcher"
+  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
  namespace: kube-public
  labels: #@ labels()
 rules:
  - apiGroups: [ "" ]
    resources: [ configmaps ]
@ -173,13 +185,14 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-cluster-info-lister-watcher"
+  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
  namespace: kube-public
  labels: #@ labels()
 subjects:
  - kind: ServiceAccount
-    name: #@ data.values.app_name
+    name: #@ defaultResourceName()
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
 roleRef:
  kind: Role
-  name: #@ data.values.app_name + "-cluster-info-lister-watcher"
+  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
  apiGroup: rbac.authorization.k8s.io
--- a/deploy/concierge/values.yaml
+++ b/deploy/concierge/values.yaml
@ -5,7 +5,20 @@
 ---
 app_name: pinniped-concierge
 #! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
 namespace: pinniped-concierge
 #! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
 #! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
 into_namespace: #! e.g. my-preexisting-namespace
 #! All resources created statically by yaml at install-time and all resources created dynamically
 #! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
 #! specified here. The app can be uninstalled either by:
 #! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
 #!    resources that were dynamically created by controllers at runtime
 #! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
 custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
 #! Specify how many replicas of the Pinniped server to run.
 replicas: 2
@ -20,7 +33,7 @@ image_tag: latest
 #! By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
 kube_cert_agent_image:
-#! Specifies a secret to be used when pulling the above container image.
+#! Specifies a secret to be used when pulling the above `image_repo` container image.
 #! Can be used when the above image_repo is a private registry.
 #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 #! Optional.
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@ -0,0 +1,17 @@
 #! Copyright 2020 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:overlay", "overlay")
 #@ load("helpers.lib.yaml", "labels")
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuerconfigs.config.pinniped.dev"}}), expects=1
 ---
 metadata:
  #@overlay/match missing_ok=True
  labels: #@ labels()
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.idp.pinniped.dev"}}), expects=1
 ---
 metadata:
  #@overlay/match missing_ok=True
  labels: #@ labels()
--- a/deploy/local-user-authenticator/values.yaml
+++ b/deploy/local-user-authenticator/values.yaml
@ -9,7 +9,7 @@ image_repo: docker.io/getpinniped/pinniped-server
 image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
 image_tag: latest
-#! Specifies a secret to be used when pulling the above container image.
+#! Specifies a secret to be used when pulling the above `image_repo` container image.
 #! Can be used when the above image_repo is a private registry.
 #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 #! Optional.
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@ -2,42 +2,43 @@
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:data", "data")
 #@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
 #@ if not data.values.into_namespace:
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: #@ data.values.namespace
-  labels:
+  labels: #@ labels()
-    name: #@ data.values.namespace
+#@ end
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
  labels: #@ labels()
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: #@ data.values.app_name + "-static-config"
+  name: #@ defaultResourceNameWithSuffix("static-config")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 data:
  #@yaml/text-templated-strings
  pinniped.yaml: |
    names:
-      dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @)
+      dynamicConfigMap: (@= defaultResourceNameWithSuffix("dynamic-config") @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
 kind: Secret
 metadata:
  name: image-pull-secret
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
@ -46,27 +47,24 @@ data:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 spec:
  replicas: #@ data.values.replicas
  selector:
-    matchLabels:
+    matchLabels: #@ defaultLabel()
      app: #@ data.values.app_name
  template:
    metadata:
-      labels:
+      labels: #@ defaultLabel()
        app: #@ data.values.app_name
    spec:
-      serviceAccountName: #@ data.values.app_name
+      serviceAccountName: #@ defaultResourceName()
      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
      imagePullSecrets:
        - name: image-pull-secret
      #@ end
      containers:
-        - name: pinniped-supervisor
+        - name: #@ defaultResourceName()
          #@ if data.values.image_digest:
          image:  #@ data.values.image_repo + "@" + data.values.image_digest
          #@ else:
@ -89,7 +87,7 @@ spec:
      volumes:
        - name: config-volume
          configMap:
-            name: #@ data.values.app_name + "-static-config"
+            name: #@ defaultResourceNameWithSuffix("static-config")
        - name: podinfo
          downwardAPI:
            items:
@ -107,6 +105,5 @@ spec:
            - weight: 50
              podAffinityTerm:
                labelSelector:
-                  matchLabels:
+                  matchLabels: #@ defaultLabel()
                    app: #@ data.values.app_name
                topologyKey: kubernetes.io/hostname
--- a/deploy/supervisor/helpers.lib.yaml
+++ b/deploy/supervisor/helpers.lib.yaml
@ -0,0 +1,30 @@
 #! Copyright 2020 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:data", "data")
 #@ load("@ytt:template", "template")
 #@ def defaultResourceName():
 #@   return data.values.app_name
 #@ end
 #@ def defaultResourceNameWithSuffix(suffix):
 #@   return data.values.app_name + "-" + suffix
 #@ end
 #@ def namespace():
 #@   if data.values.into_namespace:
 #@     return data.values.into_namespace
 #@   else:
 #@     return data.values.namespace
 #@   end
 #@ end
 #@ def defaultLabel():
 app: #@ data.values.app_name
 #@ end
 #@ def labels():
 _: #@ template.replace(defaultLabel())
 _: #@ template.replace(data.values.custom_labels)
 #@ end
--- a/deploy/supervisor/rbac.yaml
+++ b/deploy/supervisor/rbac.yaml
@ -2,16 +2,16 @@
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:data", "data")
 #@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
 #! Give permission to various objects within the app's own namespace
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 rules:
  - apiGroups: [config.pinniped.dev]
    resources: [oidcproviderconfigs]
@ -20,15 +20,14 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 subjects:
  - kind: ServiceAccount
-    name: #@ data.values.app_name
+    name: #@ defaultResourceName()
-    namespace: #@ data.values.namespace
+    namespace: #@ namespace()
 roleRef:
  kind: Role
-  name: #@ data.values.app_name
+  name: #@ defaultResourceName()
  apiGroup: rbac.authorization.k8s.io
--- a/deploy/supervisor/service.yaml
+++ b/deploy/supervisor/service.yaml
@ -1,14 +1,17 @@
 #! Copyright 2020 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:data", "data")
 #@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
 #@ if data.values.service_nodeport_port:
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: #@ data.values.app_name + "-nodeport"
+  name: #@ defaultResourceNameWithSuffix("nodeport")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 spec:
  type: NodePort
  selector:
@ -25,14 +28,12 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: #@ data.values.app_name + "-clusterip"
+  name: #@ defaultResourceNameWithSuffix("clusterip")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 spec:
  type: ClusterIP
-  selector:
+  selector: #@ defaultLabel()
    app: #@ data.values.app_name
  ports:
    - protocol: TCP
      port: #@ data.values.service_clusterip_port
@ -44,14 +45,12 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: #@ data.values.app_name + "-loadbalancer"
+  name: #@ defaultResourceNameWithSuffix("loadbalancer")
-  namespace: #@ data.values.namespace
+  namespace: #@ namespace()
-  labels:
+  labels: #@ labels()
    app: #@ data.values.app_name
 spec:
  type: LoadBalancer
-  selector:
+  selector: #@ defaultLabel()
    app: #@ data.values.app_name
  ports:
    - protocol: TCP
      port: #@ data.values.service_loadbalancer_port
--- a/deploy/supervisor/values.yaml
+++ b/deploy/supervisor/values.yaml
@ -5,7 +5,20 @@
 ---
 app_name: pinniped-supervisor
 #! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
 namespace: pinniped-supervisor
 #! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
 #! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
 into_namespace: #! e.g. my-preexisting-namespace
 #! All resources created statically by yaml at install-time and all resources created dynamically
 #! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
 #! specified here. The app can be uninstalled either by:
 #! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
 #!    resources that were dynamically created by controllers at runtime
 #! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
 custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
 #! Specify how many replicas of the Pinniped server to run.
 replicas: 2
@ -15,7 +28,7 @@ image_repo: docker.io/getpinniped/pinniped-server
 image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
 image_tag: latest
-#! Specifies a secret to be used when pulling the above container image.
+#! Specifies a secret to be used when pulling the above `image_repo` container image.
 #! Can be used when the above image_repo is a private registry.
 #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 #! Optional.
--- a/deploy/supervisor/z0_crd_overlay.yaml
+++ b/deploy/supervisor/z0_crd_overlay.yaml
@ -0,0 +1,11 @@
 #! Copyright 2020 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 #@ load("@ytt:overlay", "overlay")
 #@ load("helpers.lib.yaml", "labels")
 #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcproviderconfigs.config.pinniped.dev"}}), expects=1
 ---
 metadata:
  #@overlay/match missing_ok=True
  labels: #@ labels()