Support installing concierge and supervisor into existing namespace

- New optional ytt value called `into_namespace` means install into that
  preexisting namespace rather than creating a new namespace for each app
- Also ensure that every resource that is created statically by our yaml
  at install-time by either app is labeled consistently
- Also support adding custom labels to all of those resources from a
  new ytt value called `custom_labels`
This commit is contained in:
Ryan Richard 2020-10-14 15:05:42 -07:00
parent cd970616da
commit 1301018655
12 changed files with 274 additions and 158 deletions

View File

@ -2,28 +2,30 @@
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
#@ if not data.values.into_namespace:
--- ---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: #@ data.values.namespace name: #@ data.values.namespace
labels: labels: #@ labels()
name: #@ data.values.namespace #@ end
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: #@ labels()
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: #@ data.values.app_name + "-config" name: #@ defaultResourceNameWithSuffix("config")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
data: data:
#! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below. #! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below.
#@yaml/text-templated-strings #@yaml/text-templated-strings
@ -35,11 +37,11 @@ data:
durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @) durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @) renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
names: names:
servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @) servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
credentialIssuerConfig: (@= data.values.app_name + "-config" @) credentialIssuerConfig: (@= defaultResourceNameWithSuffix("config") @)
apiService: (@= data.values.app_name + "-api" @) apiService: (@= defaultResourceNameWithSuffix("api") @)
kubeCertAgent: kubeCertAgent:
namePrefix: (@= data.values.app_name + "-kube-cert-agent-" @) namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
(@ if data.values.kube_cert_agent_image: @) (@ if data.values.kube_cert_agent_image: @)
image: (@= data.values.kube_cert_agent_image @) image: (@= data.values.kube_cert_agent_image @)
(@ else: @) (@ else: @)
@ -59,9 +61,8 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: image-pull-secret name: image-pull-secret
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
type: kubernetes.io/dockerconfigjson type: kubernetes.io/dockerconfigjson
data: data:
.dockerconfigjson: #@ data.values.image_pull_dockerconfigjson .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
@ -70,29 +71,26 @@ data:
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
spec: spec:
replicas: #@ data.values.replicas replicas: #@ data.values.replicas
selector: selector:
matchLabels: matchLabels: #@ defaultLabel()
app: #@ data.values.app_name
template: template:
metadata: metadata:
labels: labels: #@ defaultLabel()
app: #@ data.values.app_name
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: "" scheduler.alpha.kubernetes.io/critical-pod: ""
spec: spec:
serviceAccountName: #@ data.values.app_name serviceAccountName: #@ defaultResourceName()
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
imagePullSecrets: imagePullSecrets:
- name: image-pull-secret - name: image-pull-secret
#@ end #@ end
containers: containers:
- name: pinniped - name: #@ defaultResourceName()
#@ if data.values.image_digest: #@ if data.values.image_digest:
image: #@ data.values.image_repo + "@" + data.values.image_digest image: #@ data.values.image_repo + "@" + data.values.image_digest
#@ else: #@ else:
@ -131,7 +129,7 @@ spec:
volumes: volumes:
- name: config-volume - name: config-volume
configMap: configMap:
name: #@ data.values.app_name + "-config" name: #@ defaultResourceNameWithSuffix("config")
- name: podinfo - name: podinfo
downwardAPI: downwardAPI:
items: items:
@ -157,22 +155,19 @@ spec:
- weight: 50 - weight: 50
podAffinityTerm: podAffinityTerm:
labelSelector: labelSelector:
matchLabels: matchLabels: #@ defaultLabel()
app: #@ data.values.app_name
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
#! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below. #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below.
name: #@ data.values.app_name + "-api" name: #@ defaultResourceNameWithSuffix("api")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
spec: spec:
type: ClusterIP type: ClusterIP
selector: selector: #@ defaultLabel()
app: #@ data.values.app_name
ports: ports:
- protocol: TCP - protocol: TCP
port: 443 port: 443
@ -182,8 +177,7 @@ apiVersion: apiregistration.k8s.io/v1
kind: APIService kind: APIService
metadata: metadata:
name: v1alpha1.login.pinniped.dev name: v1alpha1.login.pinniped.dev
labels: labels: #@ labels()
app: #@ data.values.app_name
spec: spec:
version: v1alpha1 version: v1alpha1
group: login.pinniped.dev group: login.pinniped.dev
@ -191,6 +185,6 @@ spec:
versionPriority: 10 versionPriority: 10
#! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code.
service: service:
name: #@ data.values.app_name + "-api" name: #@ defaultResourceNameWithSuffix("api")
namespace: #@ data.values.namespace namespace: #@ namespace()
port: 443 port: 443

View File

@ -0,0 +1,30 @@
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
#@ load("@ytt:template", "template")
#@ def defaultResourceName():
#@ return data.values.app_name
#@ end
#@ def defaultResourceNameWithSuffix(suffix):
#@ return data.values.app_name + "-" + suffix
#@ end
#@ def namespace():
#@ if data.values.into_namespace:
#@ return data.values.into_namespace
#@ else:
#@ return data.values.namespace
#@ end
#@ end
#@ def defaultLabel():
app: #@ data.values.app_name
#@ end
#@ def labels():
_: #@ template.replace(defaultLabel())
_: #@ template.replace(data.values.custom_labels)
#@ end

View File

@ -2,35 +2,38 @@
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
#! Give permission to various cluster-scoped objects #! Give permission to various cluster-scoped objects
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: #@ data.values.app_name + "-aggregated-api-server" name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
labels: #@ labels()
rules: rules:
- apiGroups: [""] - apiGroups: [ "" ]
resources: [namespaces] resources: [ namespaces ]
verbs: [get, list, watch] verbs: [ get, list, watch ]
- apiGroups: [apiregistration.k8s.io] - apiGroups: [ apiregistration.k8s.io ]
resources: [apiservices] resources: [ apiservices ]
verbs: [create, get, list, patch, update, watch] verbs: [ create, get, list, patch, update, watch ]
- apiGroups: [admissionregistration.k8s.io] - apiGroups: [ admissionregistration.k8s.io ]
resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations] resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
verbs: [get, list, watch] verbs: [ get, list, watch ]
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-aggregated-api-server" name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
labels: #@ labels()
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
roleRef: roleRef:
kind: ClusterRole kind: ClusterRole
name: #@ data.values.app_name + "-aggregated-api-server" name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
#! Give permission to various objects within the app's own namespace #! Give permission to various objects within the app's own namespace
@ -38,39 +41,41 @@ roleRef:
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: #@ data.values.app_name + "-aggregated-api-server" name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: #@ labels()
rules: rules:
- apiGroups: [""] - apiGroups: [ "" ]
resources: [services] resources: [ services ]
verbs: [create, get, list, patch, update, watch] verbs: [ create, get, list, patch, update, watch ]
- apiGroups: [""] - apiGroups: [ "" ]
resources: [secrets] resources: [ secrets ]
verbs: [create, get, list, patch, update, watch, delete] verbs: [ create, get, list, patch, update, watch, delete ]
#! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods. #! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods.
- apiGroups: [""] - apiGroups: [ "" ]
resources: [pods] resources: [ pods ]
verbs: [create, get, list, patch, update, watch, delete] verbs: [ create, get, list, patch, update, watch, delete ]
#! We need to be able to exec into pods in our namespace so we can grab the API server's private key #! We need to be able to exec into pods in our namespace so we can grab the API server's private key
- apiGroups: [""] - apiGroups: [ "" ]
resources: [pods/exec] resources: [ pods/exec ]
verbs: [create] verbs: [ create ]
- apiGroups: [config.pinniped.dev, idp.pinniped.dev] - apiGroups: [ config.pinniped.dev, idp.pinniped.dev ]
resources: ["*"] resources: [ "*" ]
verbs: [create, get, list, update, watch] verbs: [ create, get, list, update, watch ]
--- ---
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-aggregated-api-server" name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: #@ labels()
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
roleRef: roleRef:
kind: Role kind: Role
name: #@ data.values.app_name + "-aggregated-api-server" name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
#! Give permission to read pods in the kube-system namespace so we can find the API server's private key #! Give permission to read pods in the kube-system namespace so we can find the API server's private key
@ -78,25 +83,27 @@ roleRef:
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: #@ data.values.app_name + "-kube-system-pod-read" name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
namespace: kube-system namespace: kube-system
labels: #@ labels()
rules: rules:
- apiGroups: [""] - apiGroups: [ "" ]
resources: [pods] resources: [ pods ]
verbs: [get, list, watch] verbs: [ get, list, watch ]
--- ---
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-kube-system-pod-read" name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
namespace: kube-system namespace: kube-system
labels: #@ labels()
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
roleRef: roleRef:
kind: Role kind: Role
name: #@ data.values.app_name + "-kube-system-pod-read" name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests) #! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
@ -104,16 +111,18 @@ roleRef:
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: #@ data.values.app_name + "-create-token-credential-requests" name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
labels: #@ labels()
rules: rules:
- apiGroups: [login.pinniped.dev] - apiGroups: [ login.pinniped.dev ]
resources: [tokencredentialrequests] resources: [ tokencredentialrequests ]
verbs: [create] verbs: [ create ]
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-create-token-credential-requests" name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
labels: #@ labels()
subjects: subjects:
- kind: Group - kind: Group
name: system:authenticated name: system:authenticated
@ -123,7 +132,7 @@ subjects:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
roleRef: roleRef:
kind: ClusterRole kind: ClusterRole
name: #@ data.values.app_name + "-create-token-credential-requests" name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers #! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
@ -131,12 +140,13 @@ roleRef:
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: #@ labels()
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
roleRef: roleRef:
kind: ClusterRole kind: ClusterRole
name: system:auth-delegator name: system:auth-delegator
@ -147,12 +157,13 @@ roleRef:
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-extension-apiserver-authentication-reader" name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader")
namespace: kube-system namespace: kube-system
labels: #@ labels()
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
roleRef: roleRef:
kind: Role kind: Role
name: extension-apiserver-authentication-reader name: extension-apiserver-authentication-reader
@ -163,23 +174,25 @@ roleRef:
kind: Role kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-cluster-info-lister-watcher" name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
namespace: kube-public namespace: kube-public
labels: #@ labels()
rules: rules:
- apiGroups: [""] - apiGroups: [ "" ]
resources: [configmaps] resources: [ configmaps ]
verbs: [list, watch] verbs: [ list, watch ]
--- ---
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name + "-cluster-info-lister-watcher" name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
namespace: kube-public namespace: kube-public
labels: #@ labels()
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
roleRef: roleRef:
kind: Role kind: Role
name: #@ data.values.app_name + "-cluster-info-lister-watcher" name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io

View File

@ -5,7 +5,20 @@
--- ---
app_name: pinniped-concierge app_name: pinniped-concierge
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
namespace: pinniped-concierge namespace: pinniped-concierge
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
into_namespace: #! e.g. my-preexisting-namespace
#! All resources created statically by yaml at install-time and all resources created dynamically
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
#! specified here. The app can be uninstalled either by:
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
#! resources that were dynamically created by controllers at runtime
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
#! Specify how many replicas of the Pinniped server to run. #! Specify how many replicas of the Pinniped server to run.
replicas: 2 replicas: 2
@ -20,7 +33,7 @@ image_tag: latest
#! By default, the same image specified for image_repo/image_digest/image_tag will be re-used. #! By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
kube_cert_agent_image: kube_cert_agent_image:
#! Specifies a secret to be used when pulling the above container image. #! Specifies a secret to be used when pulling the above `image_repo` container image.
#! Can be used when the above image_repo is a private registry. #! Can be used when the above image_repo is a private registry.
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
#! Optional. #! Optional.

View File

@ -0,0 +1,17 @@
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:overlay", "overlay")
#@ load("helpers.lib.yaml", "labels")
#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuerconfigs.config.pinniped.dev"}}), expects=1
---
metadata:
#@overlay/match missing_ok=True
labels: #@ labels()
#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.idp.pinniped.dev"}}), expects=1
---
metadata:
#@overlay/match missing_ok=True
labels: #@ labels()

View File

@ -9,7 +9,7 @@ image_repo: docker.io/getpinniped/pinniped-server
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8 image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
image_tag: latest image_tag: latest
#! Specifies a secret to be used when pulling the above container image. #! Specifies a secret to be used when pulling the above `image_repo` container image.
#! Can be used when the above image_repo is a private registry. #! Can be used when the above image_repo is a private registry.
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
#! Optional. #! Optional.

View File

@ -2,42 +2,43 @@
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
#@ if not data.values.into_namespace:
--- ---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: #@ data.values.namespace name: #@ data.values.namespace
labels: labels: #@ labels()
name: #@ data.values.namespace #@ end
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: #@ labels()
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: #@ data.values.app_name + "-static-config" name: #@ defaultResourceNameWithSuffix("static-config")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
data: data:
#@yaml/text-templated-strings #@yaml/text-templated-strings
pinniped.yaml: | pinniped.yaml: |
names: names:
dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @) dynamicConfigMap: (@= defaultResourceNameWithSuffix("dynamic-config") @)
--- ---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: image-pull-secret name: image-pull-secret
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
type: kubernetes.io/dockerconfigjson type: kubernetes.io/dockerconfigjson
data: data:
.dockerconfigjson: #@ data.values.image_pull_dockerconfigjson .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
@ -46,27 +47,24 @@ data:
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
spec: spec:
replicas: #@ data.values.replicas replicas: #@ data.values.replicas
selector: selector:
matchLabels: matchLabels: #@ defaultLabel()
app: #@ data.values.app_name
template: template:
metadata: metadata:
labels: labels: #@ defaultLabel()
app: #@ data.values.app_name
spec: spec:
serviceAccountName: #@ data.values.app_name serviceAccountName: #@ defaultResourceName()
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
imagePullSecrets: imagePullSecrets:
- name: image-pull-secret - name: image-pull-secret
#@ end #@ end
containers: containers:
- name: pinniped-supervisor - name: #@ defaultResourceName()
#@ if data.values.image_digest: #@ if data.values.image_digest:
image: #@ data.values.image_repo + "@" + data.values.image_digest image: #@ data.values.image_repo + "@" + data.values.image_digest
#@ else: #@ else:
@ -89,7 +87,7 @@ spec:
volumes: volumes:
- name: config-volume - name: config-volume
configMap: configMap:
name: #@ data.values.app_name + "-static-config" name: #@ defaultResourceNameWithSuffix("static-config")
- name: podinfo - name: podinfo
downwardAPI: downwardAPI:
items: items:
@ -107,6 +105,5 @@ spec:
- weight: 50 - weight: 50
podAffinityTerm: podAffinityTerm:
labelSelector: labelSelector:
matchLabels: matchLabels: #@ defaultLabel()
app: #@ data.values.app_name
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname

View File

@ -0,0 +1,30 @@
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
#@ load("@ytt:template", "template")
#@ def defaultResourceName():
#@ return data.values.app_name
#@ end
#@ def defaultResourceNameWithSuffix(suffix):
#@ return data.values.app_name + "-" + suffix
#@ end
#@ def namespace():
#@ if data.values.into_namespace:
#@ return data.values.into_namespace
#@ else:
#@ return data.values.namespace
#@ end
#@ end
#@ def defaultLabel():
app: #@ data.values.app_name
#@ end
#@ def labels():
_: #@ template.replace(defaultLabel())
_: #@ template.replace(data.values.custom_labels)
#@ end

View File

@ -2,16 +2,16 @@
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
#! Give permission to various objects within the app's own namespace #! Give permission to various objects within the app's own namespace
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
rules: rules:
- apiGroups: [config.pinniped.dev] - apiGroups: [config.pinniped.dev]
resources: [oidcproviderconfigs] resources: [oidcproviderconfigs]
@ -20,15 +20,14 @@ rules:
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: #@ data.values.app_name name: #@ defaultResourceName()
namespace: #@ data.values.namespace namespace: #@ namespace()
roleRef: roleRef:
kind: Role kind: Role
name: #@ data.values.app_name name: #@ defaultResourceName()
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io

View File

@ -1,14 +1,17 @@
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")
#@ if data.values.service_nodeport_port: #@ if data.values.service_nodeport_port:
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: #@ data.values.app_name + "-nodeport" name: #@ defaultResourceNameWithSuffix("nodeport")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
spec: spec:
type: NodePort type: NodePort
selector: selector:
@ -25,14 +28,12 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: #@ data.values.app_name + "-clusterip" name: #@ defaultResourceNameWithSuffix("clusterip")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
spec: spec:
type: ClusterIP type: ClusterIP
selector: selector: #@ defaultLabel()
app: #@ data.values.app_name
ports: ports:
- protocol: TCP - protocol: TCP
port: #@ data.values.service_clusterip_port port: #@ data.values.service_clusterip_port
@ -44,14 +45,12 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: #@ data.values.app_name + "-loadbalancer" name: #@ defaultResourceNameWithSuffix("loadbalancer")
namespace: #@ data.values.namespace namespace: #@ namespace()
labels: labels: #@ labels()
app: #@ data.values.app_name
spec: spec:
type: LoadBalancer type: LoadBalancer
selector: selector: #@ defaultLabel()
app: #@ data.values.app_name
ports: ports:
- protocol: TCP - protocol: TCP
port: #@ data.values.service_loadbalancer_port port: #@ data.values.service_loadbalancer_port

View File

@ -5,7 +5,20 @@
--- ---
app_name: pinniped-supervisor app_name: pinniped-supervisor
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
namespace: pinniped-supervisor namespace: pinniped-supervisor
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
into_namespace: #! e.g. my-preexisting-namespace
#! All resources created statically by yaml at install-time and all resources created dynamically
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
#! specified here. The app can be uninstalled either by:
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
#! resources that were dynamically created by controllers at runtime
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
#! Specify how many replicas of the Pinniped server to run. #! Specify how many replicas of the Pinniped server to run.
replicas: 2 replicas: 2
@ -15,7 +28,7 @@ image_repo: docker.io/getpinniped/pinniped-server
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8 image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
image_tag: latest image_tag: latest
#! Specifies a secret to be used when pulling the above container image. #! Specifies a secret to be used when pulling the above `image_repo` container image.
#! Can be used when the above image_repo is a private registry. #! Can be used when the above image_repo is a private registry.
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
#! Optional. #! Optional.

View File

@ -0,0 +1,11 @@
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:overlay", "overlay")
#@ load("helpers.lib.yaml", "labels")
#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcproviderconfigs.config.pinniped.dev"}}), expects=1
---
metadata:
#@overlay/match missing_ok=True
labels: #@ labels()