split up build.sh and deploy.sh

2023-08-31 17:24:31 -04:00 · 2023-08-31 17:24:31 -04:00 · 65ad596463
commit 65ad596463
parent e8d3b388a7
4 changed files with 214 additions and 239 deletions
--- a/deploy_carvel/build.sh
+++ b/deploy_carvel/build.sh
@ -6,119 +6,111 @@ set -u # error if variables undefined
 set -o pipefail # prevent masking errors in a pipeline
 # set -x # print all executed commands to terminal

-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-BLUE='\033[0;34m'
-DEFAULT='\033[0m'
-
-echo_yellow() {
-    echo -e "${YELLOW}>> $@${DEFAULT}\n"
-    # printf "${GREEN}$@${DEFAULT}"
+#
+# Helper functions
+#
+function log_note() {
+  GREEN='\033[0;32m'
+  NC='\033[0m'
+  if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
+    echo -e "${GREEN}$*${NC}"
+  else
+    echo "$*"
+  fi
 }

-echo_green() {
-    echo -e "${GREEN}>> $@${DEFAULT}\n"
-    # printf "${BLUE}$@${DEFAULT}"
-}
-echo_red() {
-    echo -e "${RED}>> $@${DEFAULT}\n"
-    # printf "${BLUE}$@${DEFAULT}"
-}
-echo_blue() {
-    echo -e "${BLUE}>> $@${DEFAULT}\n"
-    # printf "${BLUE}$@${DEFAULT}"
+function log_error() {
+  RED='\033[0;31m'
+  NC='\033[0m'
+  if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
+    echo -e "🙁${RED} Error: $* ${NC}"
+  else
+    echo ":( Error: $*"
+  fi
 }

-# got a cluster?
-echo_yellow "Verify you have a functional kind cluster, otherwise this will fail....."
-# ./kind-with-registry.sh
-# got kapp-controller bits?
-kubectl get customresourcedefinitions
+function check_dependency() {
+  if ! command -v "$1" >/dev/null; then
+    log_error "Missing dependency..."
+    log_error "$2"
+    exit 1
+  fi
+}
+
+
+
+log_note "Deploying kapp-controller on kind cluster..."
 kapp deploy --app kapp-controller --file https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml -y
 kubectl get customresourcedefinitions
-
-# this argument is given to kapp-controller by default
-# in the above deployment manfiest:
+# Global kapp-controller-namespace:
 #   -packaging-global-namespace=kapp-controller-packaging-global
-# which means, PackageRepos and Packages ought be installed in this
-# namespace to be globally available by default, since
-# PackageRepos and Packages are namespaced resources.
+# kapp-controller resources like PackageRepository and Package are namepaced.
+# However, this namespace, provided via flag to kapp-controller in the yaml above,
+# defines a "global" namespace.  That is, resources installed in this namespace
+# can be installed in every namespace as kapp will always pay attention to its
+# pseudo-global namespace.
 KAPP_CONTROLLER_GLOBAL_NAMESPACE="kapp-controller-packaging-global"

-# TODO: since I removed the deployments there is not much in the ./imgpkg/images.yaml output
-#
-# build images found in these directories.
-# make use of build.yaml files to specify how builds should work,
-# if we need it to be done.
-# kbld --file ./concierge/config --imgpkg-lock-output ./concierge/.imgpkg/images.yml

-# this is used in the package-template.yml file for declaring where the package will live.
-# we need to know where these package images should live :)
-# REPO_HOST="1.2.3.4.fake.repo.host:5000"
-# PACKAGE_REPO_HOST="projects.registry.vmware.com/pinniped/pinniped-server"
-# PACKAGE_REPO_HOST="docker.io/benjaminapetersen/pinniped-package-repo"
+# TODO: final resting place for these images (PackageRepository, Packge) will need to
+# be in the same plate as our regular images:
+# - https://github.com/vmware-tanzu/pinniped/releases/tag/v0.25.0
+# namely docker.io/getpinniped/ and projects.registry.vmware.com/pinniped/
+#
 PACKAGE_REPO_HOST="benjaminapetersen/pinniped-package-repo"
+# TODO: this variable is currently a little quirky as our values.yaml files do NOT pin pinniped to a specific
+# hard-coded version.  Rather, Pinniped's values.yaml allows for a passed-in version.
 PINNIPED_PACKAGE_VERSION="0.25.0"

-# TODO: cp ./deploy/supervisor.... into ./deploy_carvel/supervisor/config...
-# TODO: cp ./deploy/concierge.... into ./deploy_carvel/concierge/config...
-# -- we should copy this over, yeah?
-#   NOTE: I did make changes to values.yaml to turn it into a values schema....
+# TODO: should we copy these directories:
+# - ../deploy/supervisor/config/*
+# - ../deploy/concierge/config/*
+# rather than duplicating the files?
+# in this exercise, I have transformed the values.yaml into a "values schema" so this would have to be
+# migrated up.  There are some incompatibilities here, in that a values schema assesses the type of value
+# by the default.  currently many of the values have no actual default.

-echo ""
-echo_yellow "cleaning ./package-repository..."
+log_note "Cleaning ./package-repository to generate new..."
 PACKAGE_REPOSITORY_DIR="package-repository"
 rm -rf "./${PACKAGE_REPOSITORY_DIR}"
 mkdir -p "./${PACKAGE_REPOSITORY_DIR}/.imgpkg"
 mkdir -p "./${PACKAGE_REPOSITORY_DIR}/packages/concierge.pinniped.dev"
 mkdir -p "./${PACKAGE_REPOSITORY_DIR}/packages/supervisor.pinniped.dev"

-PACKAGE_INSTALL_DIR="temp_actual_deploy_resources"
-rm -rf "./${PACKAGE_INSTALL_DIR}"
-mkdir "./${PACKAGE_INSTALL_DIR}"

-## TODO:
-## "${resource_name}/deployment.yml" vs "${resource_name}/deployment-HACKED.yml"
-## the real one has images.
-## - CURRENTLY the deployment.yaml files don't work, there is some error with pushing images.
-##   come back to this later?
+log_note "Generating PackageRepository and Packages for Pinniped version ${PINNIPED_PACKAGE_VERSION}"
 declare -a arr=("supervisor" "concierge")
 for resource_name in "${arr[@]}"
 do
-  echo ""
-  echo_yellow "handling ${resource_name}..."
+  log_note "Generating for ${resource_name}..."

-  # just simple templating
-  echo_yellow "generating ${resource_name}/.imgpkg/images.yaml"
-  # there are bits for image substitution in some of the ytt commands
+  log_note "Generating ${resource_name} imgpkg lock file... ${resource_name}/.imgpkg/images.yaml"
  kbld --file "./${resource_name}/config/" --imgpkg-lock-output "./${resource_name}/.imgpkg/images.yml"

  # generate a schema in each package directory
-  echo_yellow "generating ./${resource_name}/schema-openapi.yaml"
+  log_note "Generating ${resource_name} OpenAPIv3 Schema... ./${resource_name}/schema-openapi.yaml"
  ytt \
    --file "${resource_name}/config/values.yaml" \
    --data-values-schema-inspect --output openapi-v3 > "${resource_name}/schema-openapi.yml"

-  # TODO:
-  # push each package to the repository
-  # note that I am hacking at this pattern to just get them to my dockerhub
-  # this may or may not be the pattern we want when we push to a formal repository location
-  # package_push_repo_location="${PACKAGE_REPO_HOST}/packages/${resource_name}:${PINNIPED_PACKAGE_VERSION}"
+  # TODO: this is not the pattern we want.
+  # final resting place should be with our primary Pinniped image at:
+  # - projects.registry.vmware.com/pinniped/pinniped-server:v0.25.0	VMware Harbor
+  # - docker.io/getpinniped/pinniped-server:v0.25.0	DockerHub
  package_push_repo_location="${PACKAGE_REPO_HOST}-package-${resource_name}:${PINNIPED_PACKAGE_VERSION}"
-  echo_yellow "pushing package image: ${package_push_repo_location} ..."
+  log_note "Pushing ${resource_name} package image: ${package_push_repo_location} ..."
  imgpkg push --bundle "${package_push_repo_location}" --file "./${resource_name}"

  resource_package_version="${resource_name}.pinniped.dev"
-  echo_yellow "generating ./${PACKAGE_REPOSITORY_DIR}/packages/${resource_package_version}/${PINNIPED_PACKAGE_VERSION}.yml"
+  log_note "Generating ${resource_name} PackageRepository yaml..."
+  log_note "generating ./${PACKAGE_REPOSITORY_DIR}/packages/${resource_package_version}/${PINNIPED_PACKAGE_VERSION}.yml"
  ytt \
    --file "${resource_name}/package-template.yml" \
    --data-value-file openapi="$(pwd)/${resource_name}/schema-openapi.yml" \
    --data-value package_version="${PINNIPED_PACKAGE_VERSION}" \
    --data-value package_image_repo="${package_push_repo_location}" > "${PACKAGE_REPOSITORY_DIR}/packages/${resource_package_version}/${PINNIPED_PACKAGE_VERSION}.yml"

-  echo_yellow "generating ./${PACKAGE_REPOSITORY_DIR}/packages/${resource_package_version}/metadata.yml"
+  log_note "generating ./${PACKAGE_REPOSITORY_DIR}/packages/${resource_package_version}/metadata.yml"
  ytt \
    --file "${resource_name}/metadata.yml" \
    --data-value-file openapi="$(pwd)/${resource_name}/schema-openapi.yml" \
@ -127,18 +119,20 @@ do

 done

-echo_yellow "generating ./${PACKAGE_REPOSITORY_DIR}/.imgpkg/images.yml"
+log_note "Generating Pinniped PackageRepository..."
+log_note "Generating ./${PACKAGE_REPOSITORY_DIR}/.imgpkg/images.yml"
 kbld --file "./${PACKAGE_REPOSITORY_DIR}/packages/" --imgpkg-lock-output "${PACKAGE_REPOSITORY_DIR}/.imgpkg/images.yml"
 package_repository_push_repo_location="${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}"
-echo_yellow "pushing package repository image: ${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}..."
+log_note "Pushing Pinniped package repository image: ${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}..."
 imgpkg push --bundle "${package_repository_push_repo_location}" --file "./${PACKAGE_REPOSITORY_DIR}"

-echo_yellow "validating imgpkg package bundle contents..."
-imgpkg pull --bundle "${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}" --output "/tmp/${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}"
-ls -la "/tmp/${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}"
+# handy for a quick debug
+# log_note "Validating imgpkg package bundle contents..."
+# imgpkg pull --bundle "${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}" --output "/tmp/${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}"
+# ls -la "/tmp/${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}"


-echo_yellow "deploying PackageRepository..."
+log_note "Generating PackageRepository yaml file..."
 PINNIPED_PACKGE_REPOSITORY_NAME="pinniped-package-repository"
 PINNIPED_PACKGE_REPOSITORY_FILE="packagerepository.${PINNIPED_PACKAGE_VERSION}.yml"
 echo -n "" > "${PINNIPED_PACKGE_REPOSITORY_FILE}"
@ -155,163 +149,5 @@ spec:
      image: "${PACKAGE_REPO_HOST}:${PINNIPED_PACKAGE_VERSION}"
 EOT

-
-# Now, gotta make this work.  It'll be interesting if we can...
-kapp deploy --app "${PINNIPED_PACKGE_REPOSITORY_NAME}" --file "${PINNIPED_PACKGE_REPOSITORY_FILE}" -y
-kapp inspect --app "${PINNIPED_PACKGE_REPOSITORY_NAME}" --tree
-
-sleep 2 # TODO: remove
-
-# this is just a note to break this up, probably should use a separate ./deploy_stuff.sh file.
-# at this point, we are "consumers".
-# above we are packaging.
-# this would be separated out into another script or potentially
-# be on the user to craft (though we should likely provide something)
-echo_green "Package Installation...."
-
-echo_yellow "deploying RBAC for use with pinniped PackageInstall..."
-
-# TODO: obviously a mega-role that can do everything is not good. we need to scope this down to appropriate things.
-declare -a arr=("supervisor" "concierge")
-for resource_name in "${arr[@]}"
-do
-
-NAMESPACE="${resource_name}-ns"
-PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
-PINNIPED_PACKAGE_RBAC_FILE="./${PACKAGE_INSTALL_DIR}/${PINNIPED_PACKAGE_RBAC_PREFIX}-${resource_name}-rbac.yml"
-
-echo -n "" > "${PINNIPED_PACKAGE_RBAC_FILE}"
-cat <<EOF >> "${PINNIPED_PACKAGE_RBAC_FILE}"
-# ---
-# apiVersion: v1
-# kind: Namespace
-# metadata:
-#  name: "${NAMESPACE}" <--- "supervisor-ns" will cause other package install errors.
---
-# ServiceAccount details from the file linked above
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
-  # namespace: "${NAMESPACE}"
-  namespace: default # --> sticking to default for everything for now.
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-role-superadmin-dangerous"
-rules:
- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["*"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-role-binding-superadmin-dangerous"
-subjects:
- kind: ServiceAccount
-  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
-  # namespace: "${NAMESPACE}"
-  namespace: default # --> sticking to default for everything for now.
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-role-superadmin-dangerous"
-
-EOF
-
-kapp deploy --app "${PINNIPED_PACKAGE_RBAC_PREFIX}" --file "${PINNIPED_PACKAGE_RBAC_FILE}" -y
-done
-
-
-#PINNIPED_PACKAGE_RBAC_FILE="./${PACKAGE_INSTALL_DIR}/${PINNIPED_PACKAGE_RBAC_PREFIX}-rbac.yml"
-## TODO: obviously a mega-role that can do everything is not good.
-#echo -n "" > "${PINNIPED_PACKAGE_RBAC_FILE}"
-#cat <<EOF >> "${PINNIPED_PACKAGE_RBAC_FILE}"
-#
-echo_yellow "deploying PackageInstall resources for pinniped supervisor and concierge packages..."
-for resource_name in "${arr[@]}"
-do
-
-NAMESPACE="${resource_name}-ns"
-PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
-RESOURCE_PACKGE_VERSION="${resource_name}.pinniped.dev"
-PACKAGE_INSTALL_FILE_NAME="./${PACKAGE_INSTALL_DIR}/${resource_name}-pkginstall.yml"
-SECRET_NAME="${resource_name}-package-install-secret"
-cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
-apiVersion: packaging.carvel.dev/v1alpha1
-kind: PackageInstall
-metadata:
-    # name, does not have to be versioned, versionSelection.constraints below will handle
-    name: "${resource_name}-package-install"
-    # namespace: "${NAMESPACE}"
-    namespace: default # --> sticking to default for everything for now.
-spec:
-  serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
-  packageRef:
-    refName: "${RESOURCE_PACKGE_VERSION}"
-    versionSelection:
-      constraints: "${PINNIPED_PACKAGE_VERSION}"
-  values:
-  - secretRef:
-      name: "${SECRET_NAME}"
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "${SECRET_NAME}"
-stringData:
-  values.yml: |
-    ---
-    namespace: "${NAMESPACE}"
-    app_name: "${resource_name}-app-awesomeness"
-    replicas: 3
-EOF
-
-KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
-echo_yellow "deploying ${KAPP_CONTROLLER_APP_NAME}..."
-kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
-
-done
-
-echo_yellow "verifying PackageInstall resources..."
-kubectl get PackageInstall -A | grep pinniped
-kubectl get secret -A | grep pinniped
-
-echo_yellow "listing all package resources (PackageRepository, Package, PackageInstall)..."
-kubectl get pkgi && kubectl get pkgr && kubectl get pkg
-
-echo_yellow "listing all kapp cli apps..."
-# list again what is installed so we can ensure we have everything
-kapp ls --all-namespaces
-
-# these are fundamentally different than what kapp cli understands, unfortunately.
-# the term "app" is overloaded in Carvel and can mean two different things, based on
-# the use of kapp cli and kapp-controller on cluster
-echo_yellow "listing all kapp-controller apps..."
-kubectl get app --all-namespaces
-
-# TODO:
-# update the deployment.yaml and remove the deployment-HACKED.yaml files
-# both are probably hacked a bit, so delete them and just get fresh from the ./deploy directory
-# then make sure REAL PINNIPED actually deploys.
-
-
-# In the end we should have:
-# docker pull benjaminapetersen/pinniped-package-repo:latest
-# docker pull benjaminapetersen/pinniped-package-repo-package-supervisor:0.25.0
-# docker pull benjaminapetersen/pinniped-package-repo-package-concierge:0.25.0
-
-# echo_yellow "verifying RBAC resources created (namespace, serviceaccount, clusterrole, clusterrolebinding)..."
-# kubectl get ns -A | grep pinniped
-# kubectl get sa -A | grep pinniped
-# kubectl get ClusterRole -A | grep pinniped
-# kubectl get clusterrolebinding -A | grep pinniped
-
-
-# stuff
-kubectl get PackageRepository -A
-kubectl get Package -A
-kubectl get PackageInstall -A
+log_note "To deploy the PackageRepository, run 'kapp deploy --app pinniped-repo --file ${PINNIPED_PACKGE_REPOSITORY_FILE}'"
+log_note "Or use the sibling deploy.sh script"
--- a/deploy_carvel/deploy.sh
+++ b/deploy_carvel/deploy.sh
@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+
+# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# This script can be used to prepare a kind cluster and deploy the app.
+# You can call this script again to redeploy the app.
+# It will also output instructions on how to run the integration.
+#
+
+set -euo pipefail
+
+
+# deploy the Carvel packages for Pinniped & Supervisor.
+# - Deploy the PackageRepository
+# - Create PackageInstalls for Supervisor, Concierge
+#   - deploy these
+# - then after, run hack/prepare-supervisor-on-kind.sh
+#   - ideally this configures the Supervisor
+
+
+# need a directory for our yamls for deployment
+echo ""
+PACKAGE_INSTALL_DIR="temp_actual_deploy_resources"
+rm -rf "./${PACKAGE_INSTALL_DIR}"
+mkdir "./${PACKAGE_INSTALL_DIR}"
+
+
+log_note "Deploying Pinniped PackageRepository on kind cluster..."
+# Now, gotta make this work.  It'll be interesting if we can...
+kapp deploy --app "${PINNIPED_PACKGE_REPOSITORY_NAME}" --file "${PINNIPED_PACKGE_REPOSITORY_FILE}" -y
+kapp inspect --app "${PINNIPED_PACKGE_REPOSITORY_NAME}" --tree
+
+
+
+
+log_note "Generating RBAC for use with pinniped PackageInstall..."
+
+# TODO: obviously a mega-role that can do everything is not good. we need to scope this down to appropriate things.
+declare -a arr=("supervisor" "concierge")
+for resource_name in "${arr[@]}"
+do
+
+  NAMESPACE="${resource_name}-ns"
+  PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
+  PINNIPED_PACKAGE_RBAC_FILE="./${PACKAGE_INSTALL_DIR}/${PINNIPED_PACKAGE_RBAC_PREFIX}-${resource_name}-rbac.yml"
+
+  echo -n "" > "${PINNIPED_PACKAGE_RBAC_FILE}"
+  cat <<EOF >> "${PINNIPED_PACKAGE_RBAC_FILE}"
+# ---
+# apiVersion: v1
+# kind: Namespace
+# metadata:
+#  name: "${NAMESPACE}" <--- "supervisor-ns" will cause other package install errors.
+---
+# ServiceAccount details from the file linked above
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
+  # namespace: "${NAMESPACE}"
+  namespace: default # --> sticking to default for everything for now.
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-role-superadmin-dangerous"
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-role-binding-superadmin-dangerous"
+subjects:
+- kind: ServiceAccount
+  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
+  # namespace: "${NAMESPACE}"
+  namespace: default # --> sticking to default for everything for now.
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "${PINNIPED_PACKAGE_RBAC_PREFIX}-role-superadmin-dangerous"
+
+EOF
+
+  kapp deploy --app "${PINNIPED_PACKAGE_RBAC_PREFIX}" --file "${PINNIPED_PACKAGE_RBAC_FILE}" -y
+done
+
+
+
+log_note "Deploying PackageInstall resources for pinniped supervisor and concierge packages..."
+for resource_name in "${arr[@]}"
+do
+
+  NAMESPACE="${resource_name}-ns"
+  PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
+  RESOURCE_PACKGE_VERSION="${resource_name}.pinniped.dev"
+  PACKAGE_INSTALL_FILE_NAME="./${PACKAGE_INSTALL_DIR}/${resource_name}-pkginstall.yml"
+  SECRET_NAME="${resource_name}-package-install-secret"
+  cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+    # name, does not have to be versioned, versionSelection.constraints below will handle
+    name: "${resource_name}-package-install"
+    # namespace: "${NAMESPACE}"
+    namespace: default # --> sticking to default for everything for now.
+spec:
+  serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
+  packageRef:
+    refName: "${RESOURCE_PACKGE_VERSION}"
+    versionSelection:
+      constraints: "${PINNIPED_PACKAGE_VERSION}"
+  values:
+  - secretRef:
+      name: "${SECRET_NAME}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${SECRET_NAME}"
+stringData:
+  values.yml: |
+    ---
+    namespace: "${NAMESPACE}"
+    app_name: "${resource_name}-app-awesomeness"
+    replicas: 3
+EOF
+
+  KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
+  log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
+  kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
+
+done
--- a/deploy_carvel/package-repository/.imgpkg/images.yml
+++ b/deploy_carvel/package-repository/.imgpkg/images.yml
@ -14,5 +14,5 @@ images:
      - resolved:
          tag: 0.25.0
          url: benjaminapetersen/pinniped-package-repo-package-supervisor:0.25.0
-  image: index.docker.io/benjaminapetersen/pinniped-package-repo-package-supervisor@sha256:12577787d82b4f565be28c65c229c87dd8ac9890d0f44a690725fdb4ac7f4082
+  image: index.docker.io/benjaminapetersen/pinniped-package-repo-package-supervisor@sha256:53b9a52d499492d372688198e0cf9c9598835047ec67684f908f512f8a28fc96
 kind: ImagesLock
--- a/deploy_carvel/supervisor/config/values.yaml
+++ b/deploy_carvel/supervisor/config/values.yaml
@ -40,7 +40,7 @@ package_image_repo: docker.io/benjaminapetersen/some-pinniped-supervisor-package
 #@schema/nullable
 package_image_digest: sha256:123456
 #@schema/nullable
-package_image_tag: latest
+package_image_tag: latest #! TODO; so since we allow the deployment to pass in the image tag, not sure the value in versions of packages?
 #! prob should not be nullable
 #@schema/nullable
 package_version: 1.2.3