From 616211c1bc2e25ba577da46f762376774e7e25ce Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 19 Jan 2021 17:23:06 -0500 Subject: [PATCH] deploy: wire API group suffix through YTT templates I didn't advertise this feature in the deploy README's since (hopefully) not many people will want to use it? Signed-off-by: Andrew Keesler --- deploy/concierge/deployment.yaml | 7 ++++--- deploy/concierge/helpers.lib.yaml | 6 +++++- deploy/concierge/rbac.yaml | 9 ++++++--- deploy/concierge/values.yaml | 6 ++++++ deploy/concierge/z0_crd_overlay.yaml | 14 ++++++++++++-- deploy/supervisor/deployment.yaml | 1 + deploy/supervisor/helpers.lib.yaml | 6 +++++- deploy/supervisor/rbac.yaml | 13 ++++++++----- deploy/supervisor/values.yaml | 6 ++++++ deploy/supervisor/z0_crd_overlay.yaml | 11 +++++++++-- 10 files changed, 62 insertions(+), 17 deletions(-) diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml index f5963549..3d7f4243 100644 --- a/deploy/concierge/deployment.yaml +++ b/deploy/concierge/deployment.yaml @@ -3,7 +3,7 @@ #@ load("@ytt:data", "data") #@ load("@ytt:json", "json") -#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel") +#@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix") #@ if not data.values.into_namespace: --- @@ -37,6 +37,7 @@ data: servingCertificate: durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @) renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @) + apiGroupSuffix: (@= data.values.api_group_suffix @) names: servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @) credentialIssuer: (@= defaultResourceNameWithSuffix("config") @) @@ -191,11 +192,11 @@ spec: apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: - name: v1alpha1.login.concierge.pinniped.dev + name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.login.concierge") labels: #@ labels() spec: version: v1alpha1 - group: login.concierge.pinniped.dev + group: #@ pinnipedDevAPIGroupWithPrefix("login.concierge") groupPriorityMinimum: 2500 versionPriority: 10 #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. diff --git a/deploy/concierge/helpers.lib.yaml b/deploy/concierge/helpers.lib.yaml index 452faa75..6ad07f4b 100644 --- a/deploy/concierge/helpers.lib.yaml +++ b/deploy/concierge/helpers.lib.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -12,6 +12,10 @@ #@ return data.values.app_name + "-" + suffix #@ end +#@ def pinnipedDevAPIGroupWithPrefix(prefix): +#@ return prefix + "." + data.values.api_group_suffix +#@ end + #@ def namespace(): #@ if data.values.into_namespace: #@ return data.values.into_namespace diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml index 088725a7..8df8734b 100644 --- a/deploy/concierge/rbac.yaml +++ b/deploy/concierge/rbac.yaml @@ -2,7 +2,7 @@ #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") -#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix") +#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix") #! Give permission to various cluster-scoped objects --- @@ -66,7 +66,9 @@ rules: - apiGroups: [ "" ] resources: [ pods/exec ] verbs: [ create ] - - apiGroups: [ config.concierge.pinniped.dev, authentication.concierge.pinniped.dev ] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("config.concierge") + - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge") resources: [ "*" ] verbs: [ create, get, list, update, watch ] - apiGroups: [apps] @@ -124,7 +126,8 @@ metadata: name: #@ defaultResourceNameWithSuffix("create-token-credential-requests") labels: #@ labels() rules: - - apiGroups: [ login.concierge.pinniped.dev ] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("login.concierge") resources: [ tokencredentialrequests ] verbs: [ create ] --- diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml index 5aab13c8..c06aa0b0 100644 --- a/deploy/concierge/values.yaml +++ b/deploy/concierge/values.yaml @@ -57,3 +57,9 @@ log_level: #! By default, when this value is left unset, only warnings and error run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process + +#! Specify the API group suffix for all Pinniped API groups. By default, this is set to +#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, +#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then +#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc. +api_group_suffix: pinniped.dev diff --git a/deploy/concierge/z0_crd_overlay.yaml b/deploy/concierge/z0_crd_overlay.yaml index 011d69d6..935d5f8c 100644 --- a/deploy/concierge/z0_crd_overlay.yaml +++ b/deploy/concierge/z0_crd_overlay.yaml @@ -1,23 +1,33 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:overlay", "overlay") -#@ load("helpers.lib.yaml", "labels") +#@ load("helpers.lib.yaml", "labels", "pinnipedDevAPIGroupWithPrefix") +#@ load("@ytt:data", "data") #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"credentialissuers.config.concierge.pinniped.dev"}}), expects=1 --- metadata: #@overlay/match missing_ok=True labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("credentialissuers.config.concierge") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("config.concierge") #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookauthenticators.authentication.concierge.pinniped.dev"}}), expects=1 --- metadata: #@overlay/match missing_ok=True labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("webhookauthenticators.authentication.concierge") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge") #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"jwtauthenticators.authentication.concierge.pinniped.dev"}}), expects=1 --- metadata: #@overlay/match missing_ok=True labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("jwtauthenticators.authentication.concierge") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge") diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml index da9dba99..48607e3f 100644 --- a/deploy/supervisor/deployment.yaml +++ b/deploy/supervisor/deployment.yaml @@ -30,6 +30,7 @@ metadata: data: #@yaml/text-templated-strings pinniped.yaml: | + apiGroupSuffix: (@= data.values.api_group_suffix @) names: defaultTLSCertificateSecret: (@= defaultResourceNameWithSuffix("default-tls-certificate") @) labels: (@= json.encode(labels()).rstrip() @) diff --git a/deploy/supervisor/helpers.lib.yaml b/deploy/supervisor/helpers.lib.yaml index 452faa75..6ad07f4b 100644 --- a/deploy/supervisor/helpers.lib.yaml +++ b/deploy/supervisor/helpers.lib.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -12,6 +12,10 @@ #@ return data.values.app_name + "-" + suffix #@ end +#@ def pinnipedDevAPIGroupWithPrefix(prefix): +#@ return prefix + "." + data.values.api_group_suffix +#@ end + #@ def namespace(): #@ if data.values.into_namespace: #@ return data.values.into_namespace diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml index 44b7b93a..ea7f4e65 100644 --- a/deploy/supervisor/rbac.yaml +++ b/deploy/supervisor/rbac.yaml @@ -1,8 +1,8 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") -#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix") +#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix") #! Give permission to various objects within the app's own namespace --- @@ -16,13 +16,16 @@ rules: - apiGroups: [""] resources: [secrets] verbs: [create, get, list, patch, update, watch, delete] - - apiGroups: [config.supervisor.pinniped.dev] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") resources: [federationdomains] verbs: [update, get, list, watch] - - apiGroups: [idp.supervisor.pinniped.dev] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [oidcidentityproviders] verbs: [get, list, watch] - - apiGroups: [idp.supervisor.pinniped.dev] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [oidcidentityproviders/status] verbs: [get, patch, update] #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set diff --git a/deploy/supervisor/values.yaml b/deploy/supervisor/values.yaml index e522155f..fd27b336 100644 --- a/deploy/supervisor/values.yaml +++ b/deploy/supervisor/values.yaml @@ -59,3 +59,9 @@ log_level: #! By default, when this value is left unset, only warnings and error run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process + +#! Specify the API group suffix for all Pinniped API groups. By default, this is set to +#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, +#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then +#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc. +api_group_suffix: pinniped.dev diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index e7888f5b..c3bb8173 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -1,17 +1,24 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:overlay", "overlay") -#@ load("helpers.lib.yaml", "labels") +#@ load("helpers.lib.yaml", "labels", "pinnipedDevAPIGroupWithPrefix") +#@ load("@ytt:data", "data") #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"federationdomains.config.supervisor.pinniped.dev"}}), expects=1 --- metadata: #@overlay/match missing_ok=True labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("federationdomains.config.supervisor") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1 --- metadata: #@overlay/match missing_ok=True labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("oidcidentityproviders.idp.supervisor") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")