diff --git a/deploy_carvel/_dev.SCRATCH/concierge.deployment.old.yaml b/deploy_carvel/_dev.SCRATCH/concierge.deployment.old.yaml new file mode 100644 index 00000000..bc8397cc --- /dev/null +++ b/deploy_carvel/_dev.SCRATCH/concierge.deployment.old.yaml @@ -0,0 +1,360 @@ +#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! SPDX-License-Identifier: Apache-2.0 + +#@ load("@ytt:data", "data") +#@ load("@ytt:json", "json") +#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix") +#@ load("@ytt:template", "template") + +#@ if not data.values.into_namespace: +--- +apiVersion: v1 +kind: Namespace +metadata: + name: #@ data.values.namespace + labels: + _: #@ template.replace(labels()) + #! When deploying onto a cluster which has PSAs enabled by default for namespaces, + #! effectively disable them for this namespace. The kube-cert-agent Deployment's pod + #! created by the Concierge in this namespace needs to be able to perform privileged + #! actions. The regular Concierge pod containers created by the Deployment below do + #! not need special privileges and are marked as such in their securityContext settings. + pod-security.kubernetes.io/enforce: privileged +#@ end +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: #@ defaultResourceName() + namespace: #@ namespace() + labels: #@ labels() +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: #@ defaultResourceNameWithSuffix("kube-cert-agent") + namespace: #@ namespace() + labels: #@ labels() +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: #@ defaultResourceNameWithSuffix("impersonation-proxy") + namespace: #@ namespace() + labels: #@ labels() + annotations: + #! we need to create this service account before we create the secret + kapp.k14s.io/change-group: "impersonation-proxy.concierge.pinniped.dev/serviceaccount" +secrets: #! make sure the token controller does not create any other secrets +- name: #@ defaultResourceNameWithSuffix("impersonation-proxy") +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: #@ defaultResourceNameWithSuffix("config") + namespace: #@ namespace() + labels: #@ labels() +data: + #! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below. + #@yaml/text-templated-strings + pinniped.yaml: | + discovery: + url: (@= data.values.discovery_url or "null" @) + api: + servingCertificate: + durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @) + renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @) + apiGroupSuffix: (@= data.values.api_group_suffix @) + # aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated + # impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated + names: + servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @) + credentialIssuer: (@= defaultResourceNameWithSuffix("config") @) + apiService: (@= defaultResourceNameWithSuffix("api") @) + impersonationLoadBalancerService: (@= defaultResourceNameWithSuffix("impersonation-proxy-load-balancer") @) + impersonationClusterIPService: (@= defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip") @) + impersonationTLSCertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate") @) + impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @) + impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @) + agentServiceAccount: (@= defaultResourceNameWithSuffix("kube-cert-agent") @) + labels: (@= json.encode(labels()).rstrip() @) + kubeCertAgent: + namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @) + (@ if data.values.kube_cert_agent_image: @) + image: (@= data.values.kube_cert_agent_image @) + (@ else: @) + (@ if data.values.image_digest: @) + image: (@= data.values.image_repo + "@" + data.values.image_digest @) + (@ else: @) + image: (@= data.values.image_repo + ":" + data.values.image_tag @) + (@ end @) + (@ end @) + (@ if data.values.image_pull_dockerconfigjson: @) + imagePullSecrets: + - image-pull-secret + (@ end @) + (@ if data.values.log_level or data.values.deprecated_log_format: @) + log: + (@ if data.values.log_level: @) + level: (@= getAndValidateLogLevel() @) + (@ end @) + (@ if data.values.deprecated_log_format: @) + format: (@= data.values.deprecated_log_format @) + (@ end @) + (@ end @) +--- +#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": +apiVersion: v1 +kind: Secret +metadata: + name: image-pull-secret + namespace: #@ namespace() + labels: #@ labels() +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson +#@ end +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: #@ defaultResourceName() + namespace: #@ namespace() + labels: #@ labels() +spec: + replicas: #@ data.values.replicas + selector: + #! In hindsight, this should have been deploymentPodLabel(), but this field is immutable so changing it would break upgrades. + matchLabels: #@ defaultLabel() + template: + metadata: + labels: + #! This has always included defaultLabel(), which is used by this Deployment's selector. + _: #@ template.replace(defaultLabel()) + #! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically + #! without accidentally selecting any other Deployment's Pods, especially the kube cert agent Deployment's Pods. + _: #@ template.replace(deploymentPodLabel()) + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + securityContext: + runAsUser: #@ data.values.run_as_user + runAsGroup: #@ data.values.run_as_group + serviceAccountName: #@ defaultResourceName() + #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": + imagePullSecrets: + - name: image-pull-secret + #@ end + containers: + - name: #@ defaultResourceName() + #@ if data.values.image_digest: + image: #@ data.values.image_repo + "@" + data.values.image_digest + #@ else: + image: #@ data.values.image_repo + ":" + data.values.image_tag + #@ end + imagePullPolicy: IfNotPresent + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + #! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a + #! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's + #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error. + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "100m" + memory: "128Mi" + command: + - pinniped-concierge + - --config=/etc/config/pinniped.yaml + - --downward-api-path=/etc/podinfo + volumeMounts: + - name: tmp + mountPath: /tmp + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: podinfo + mountPath: /etc/podinfo + readOnly: true + - name: impersonation-proxy + mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount + readOnly: true + env: + #@ if data.values.https_proxy: + - name: HTTPS_PROXY + value: #@ data.values.https_proxy + #@ end + #@ if data.values.https_proxy and data.values.no_proxy: + - name: NO_PROXY + value: #@ data.values.no_proxy + #@ end + livenessProbe: + httpGet: + path: /healthz + port: 10250 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 15 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /healthz + port: 10250 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: tmp + emptyDir: + medium: Memory + sizeLimit: 100Mi + - name: config-volume + configMap: + name: #@ defaultResourceNameWithSuffix("config") + - name: impersonation-proxy + secret: + secretName: #@ defaultResourceNameWithSuffix("impersonation-proxy") + items: #! make sure our pod does not start until the token controller has a chance to populate the secret + - key: token + path: token + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "name" + fieldRef: + fieldPath: metadata.name + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master #! Allow running on master nodes too (name deprecated by kubernetes 1.20). + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane #! The new name for these nodes as of Kubernetes 1.24. + effect: NoSchedule + #! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17, + #! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596). + #!priorityClassName: system-cluster-critical + #! This will help make sure our multiple pods run on different nodes, making + #! our deployment "more" "HA". + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchLabels: #@ deploymentPodLabel() + topologyKey: kubernetes.io/hostname +--- +apiVersion: v1 +kind: Service +metadata: + #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below. + name: #@ defaultResourceNameWithSuffix("api") + namespace: #@ namespace() + labels: #@ labels() + #! prevent kapp from altering the selector of our services to match kubectl behavior + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: #@ deploymentPodLabel() + ports: + - protocol: TCP + port: 443 + targetPort: 10250 +--- +apiVersion: v1 +kind: Service +metadata: + name: #@ defaultResourceNameWithSuffix("proxy") + namespace: #@ namespace() + labels: #@ labels() + #! prevent kapp from altering the selector of our services to match kubectl behavior + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: #@ deploymentPodLabel() + ports: + - protocol: TCP + port: 443 + targetPort: 8444 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.login.concierge") + labels: #@ labels() +spec: + version: v1alpha1 + group: #@ pinnipedDevAPIGroupWithPrefix("login.concierge") + groupPriorityMinimum: 9900 + versionPriority: 15 + #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. + service: + name: #@ defaultResourceNameWithSuffix("api") + namespace: #@ namespace() + port: 443 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.identity.concierge") + labels: #@ labels() +spec: + version: v1alpha1 + group: #@ pinnipedDevAPIGroupWithPrefix("identity.concierge") + groupPriorityMinimum: 9900 + versionPriority: 15 + #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. + service: + name: #@ defaultResourceNameWithSuffix("api") + namespace: #@ namespace() + port: 443 +--- +apiVersion: #@ pinnipedDevAPIGroupWithPrefix("config.concierge") + "/v1alpha1" +kind: CredentialIssuer +metadata: + name: #@ defaultResourceNameWithSuffix("config") + labels: #@ labels() +spec: + impersonationProxy: + mode: #@ data.values.impersonation_proxy_spec.mode + #@ if data.values.impersonation_proxy_spec.external_endpoint: + externalEndpoint: #@ data.values.impersonation_proxy_spec.external_endpoint + #@ end + service: + type: #@ data.values.impersonation_proxy_spec.service.type + #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip: + loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip + #@ end + annotations: #@ data.values.impersonation_proxy_spec.service.annotations +--- +apiVersion: v1 +kind: Secret +metadata: + name: #@ defaultResourceNameWithSuffix("impersonation-proxy") + namespace: #@ namespace() + labels: #@ labels() + annotations: + #! wait until the SA exists to create this secret so that the token controller does not delete it + #! we have this secret at the end so that kubectl will create the service account first + kapp.k14s.io/change-rule: "upsert after upserting impersonation-proxy.concierge.pinniped.dev/serviceaccount" + kubernetes.io/service-account.name: #@ defaultResourceNameWithSuffix("impersonation-proxy") +type: kubernetes.io/service-account-token diff --git a/deploy_carvel/_dev.SCRATCH/deploy_concierge.sh b/deploy_carvel/_dev.SCRATCH/deploy_concierge.sh new file mode 100755 index 00000000..12d5cf9b --- /dev/null +++ b/deploy_carvel/_dev.SCRATCH/deploy_concierge.sh @@ -0,0 +1,41 @@ +#!/bin/bash + + +APP="pinn-conci" + +kapp deploy --app "${APP}" --diff-changes --file <(ytt \ + --file concierge/config/authentication.concierge.pinniped.dev_jwtauthenticators.yaml + --file concierge/config/authentication.concierge.pinniped.dev_webhookauthenticcators.yaml + --file concierge/config/config.concierge.pinniped.dev_credential_issuers.yaml + --file concierge/config/deployment-HACKED.yaml \ + --file concierge/config/helpers.lib.yaml \ + --file concierge/config/rbac.yaml \ + --file concierge/config/z0_crd_overlay.yaml \ + --file concierge/config/values.yaml \ + --data-value app_name=pinn-conci \ + --data-value namespace=pinn-conci \ + --data-value-yaml 'custom_labels={"foo": bar}' \ + --data-value replicas=3) + + +## template the thing +#RENDER_OUTPUT_FILE=$( +#ytt \ +# --file concierge/config/helpers.lib.yaml \ +# --file concierge/config/deployment.yaml \ +# --file concierge/config/service.yaml \ +# --file concierge/config/values.yaml \ +# --data-value app_name=pinn-super \ +# --data-value namespace=pinn-super \ +# --data-value-yaml 'custom_labels={"foo": bar}' \ +# --data-value replicas=3 +#) +# +## view it +#echo "$RENDER_OUTPUT_FILE" +# +## give it to kapp +#kapp deploy \ +# --app pinn-super \ +# --diff-changes \ +# --file <( "${RENDER_OUTPUT_FILE}" ) diff --git a/deploy_carvel/_dev.SCRATCH/deploy_supervisor.sh b/deploy_carvel/_dev.SCRATCH/deploy_supervisor.sh new file mode 100755 index 00000000..fd3915e5 --- /dev/null +++ b/deploy_carvel/_dev.SCRATCH/deploy_supervisor.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# need to maintain this if used. +# but there must be a way to get ytt to read a directory of files. +#RENDERED_OUTPUT_FILES=$( +#ytt \ +# --file supervisor/config/helpers.lib.yaml \ +# --file supervisor/config/config.supervisor.pinniped.dev_federationdomains.yaml \ +# --file supervisor/config/config.supervisor.pinniped.dev_oidcclients.yaml \ +# --file supervisor/config/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml \ +# --file supervisor/config/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml \ +# --file supervisor/config/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml \ +# --file supervisor/config/z0_crd_overlay.yaml \ +# --file supervisor/config/rbac.yaml \ +# --file supervisor/config/service.yaml \ +# --file supervisor/config/deployment.yaml \ +# --file supervisor/config/values.yaml \ +# --data-value app_name=pinn-super \ +# --data-value namespace=pinn-super \ +# --data-value-yaml 'custom_labels={"foo": bar}' \ +# --data-value replicas=3 +#) +# +#echo "${RENDERED_OUTPUT_FILES}" + +APP="pinn-super" + +kapp deploy --app "${APP}" --diff-changes --file <(ytt \ + --file supervisor/config/helpers.lib.yaml \ + --file supervisor/config/config.supervisor.pinniped.dev_federationdomains.yaml \ + --file supervisor/config/config.supervisor.pinniped.dev_oidcclients.yaml \ + --file supervisor/config/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml \ + --file supervisor/config/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml \ + --file supervisor/config/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml \ + --file supervisor/config/z0_crd_overlay.yaml \ + --file supervisor/config/rbac.yaml \ + --file supervisor/config/service.yaml \ + --file supervisor/config/deployment-HACKED.yaml \ + --file supervisor/config/values.yaml \ + --data-value app_name=pinn-super \ + --data-value namespace=pinn-super \ + --data-value-yaml 'custom_labels={"foo": bar}' \ + --data-value replicas=3) + + +## template the thing +#RENDER_OUTPUT_FILE=$( +#ytt \ +# --file supervisor/config/helpers.lib.yaml \ +# --file supervisor/config/deployment.yaml \ +# --file supervisor/config/service.yaml \ +# --file supervisor/config/values.yaml \ +# --data-value app_name=pinn-super \ +# --data-value namespace=pinn-super \ +# --data-value-yaml 'custom_labels={"foo": bar}' \ +# --data-value replicas=3 +#) +# +## view it +#echo "$RENDER_OUTPUT_FILE" +# +## give it to kapp +#kapp deploy \ +# --app pinn-super \ +# --diff-changes \ +# --file <( "${RENDER_OUTPUT_FILE}" ) diff --git a/deploy_carvel/_dev.SCRATCH/integration-test-env b/deploy_carvel/_dev.SCRATCH/integration-test-env new file mode 100644 index 00000000..e75e1055 --- /dev/null +++ b/deploy_carvel/_dev.SCRATCH/integration-test-env @@ -0,0 +1,89 @@ +# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration' +export PINNIPED_TEST_TOOLS_NAMESPACE="tools" +export PINNIPED_TEST_CONCIERGE_NAMESPACE=concierge +export PINNIPED_TEST_CONCIERGE_APP_NAME=pinniped-concierge +export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='{myConciergeCustomLabelName: myConciergeCustomLabelValue}' +export PINNIPED_TEST_USER_USERNAME=test-username +export PINNIPED_TEST_USER_GROUPS=test-group-0,test-group-1 +export PINNIPED_TEST_USER_TOKEN=test-username:bf1dc425a45f9ee37ccf6f35931a3609 +export PINNIPED_TEST_WEBHOOK_ENDPOINT=https://local-user-authenticator.local-user-authenticator.svc/authenticate +export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJyRENDQVZPZ0F3SUJBZ0lRZlR6OG9EQlpuQVJvaTdCS1AySmtYVEFLQmdncWhrak9QUVFEQWpBbU1TUXcKSWdZRFZRUURFeHRzYjJOaGJDMTFjMlZ5TFdGMWRHaGxiblJwWTJGMGIzSWdRMEV3SUJjTk1qTXdPREk1TVRrdwpNekEyV2hnUE1qRXlNekE0TURVeE9UQTRNRFphTUNZeEpEQWlCZ05WQkFNVEcyeHZZMkZzTFhWelpYSXRZWFYwCmFHVnVkR2xqWVhSdmNpQkRRVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCS0UxN3NwNW8zdTkKK0dKQlFtbHBuay9sU3pTVWdQUHUvY0ltQnpqWFNPMXBrcGMwcU9BRndjRVZxYlg5V05LdFFBMXplOVA5TXBOdgpMKzdJNnNpN0xmMmpZVEJmTUE0R0ExVWREd0VCL3dRRUF3SUNoREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNECkFnWUlLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVlRjR0bDZRT24yd3kKSUVPcm00WVFOWWtVOU0wd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ0cvQTluQisyUVpDME82aStmWFhGRm1XYQpQWXMyanNxbU5lbVBBMkdDNVZzQ0lFN2w1L1lNSE8xUHdYQWlwYXRaYjkwUDhaZ2pFc0x0Qi9lb3BLQlpBT0VSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +export PINNIPED_TEST_SUPERVISOR_NAMESPACE=supervisor +export PINNIPED_TEST_SUPERVISOR_APP_NAME=pinniped-supervisor +export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}' +export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344" +export PINNIPED_TEST_PROXY=http://127.0.0.1:12346 +export PINNIPED_TEST_LDAP_HOST=ldap.tools.svc.cluster.local +export PINNIPED_TEST_LDAP_STARTTLS_ONLY_HOST=ldapstarttls.tools.svc.cluster.local +export PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjekNDQVJxZ0F3SUJBZ0lVUmE4OENCQWhwbnpNVmt3bmJtQnJ2RXZQdzdVd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTRNamt4T1RBME1EQmFGdzB5T0RBNApNamN4T1RBME1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVN1cWVzRStZM1RwWER1c0lKSUFkUHVQU3N5Q3BzUGVUM3BhYnZHdTIwRlpNYXEKTWZLejJrZFlqenhKNlN4b2lTM3dmSkFwc0VRRU9MV1NTaG51QmlrdG8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVam5Ua3dPc1NhbHVHOXZlcnBtc0VWVGRLCjZZd3dDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdkeTNUcFA3WUFXaVdaaWV6WFBBVVhLOWNIWDJmUW9GVndFZGIKaGhDSDRib0NJR2trNTg5VzZIcHRUMHFVR0sreG9YbzkzeXA4NDBCcXNHMEtoeW5GV29JTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" +export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME="cn=admin,dc=pinniped,dc=dev" +export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD=password +export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE="ou=users,dc=pinniped,dc=dev" +export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE="ou=groups,dc=pinniped,dc=dev" +export PINNIPED_TEST_LDAP_USER_DN="cn=pinny,ou=users,dc=pinniped,dc=dev" +export PINNIPED_TEST_LDAP_USER_CN="pinny" +export PINNIPED_TEST_LDAP_USER_PASSWORD=342db8a6d3416ecc99a735f7d00db93d +export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME="uidNumber" +export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE="1000" +export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME="mail" +export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_VALUE="pinny.ldap@example.com" +export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_DN="cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev;cn=seals,ou=groups,dc=pinniped,dc=dev" +export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_DN="cn=pinnipeds,ou=groups,dc=pinniped,dc=dev;cn=mammals,ou=groups,dc=pinniped,dc=dev" +export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_CN="ball-game-players;seals" +export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN="ball-game-players-posix;seals-posix" +export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_CN="pinnipeds;mammals" +export PINNIPED_TEST_CLI_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex +export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjekNDQVJxZ0F3SUJBZ0lVUmE4OENCQWhwbnpNVmt3bmJtQnJ2RXZQdzdVd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTRNamt4T1RBME1EQmFGdzB5T0RBNApNamN4T1RBME1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVN1cWVzRStZM1RwWER1c0lKSUFkUHVQU3N5Q3BzUGVUM3BhYnZHdTIwRlpNYXEKTWZLejJrZFlqenhKNlN4b2lTM3dmSkFwc0VRRU9MV1NTaG51QmlrdG8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVam5Ua3dPc1NhbHVHOXZlcnBtc0VWVGRLCjZZd3dDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdkeTNUcFA3WUFXaVdaaWV6WFBBVVhLOWNIWDJmUW9GVndFZGIKaGhDSDRib0NJR2trNTg5VzZIcHRUMHFVR0sreG9YbzkzeXA4NDBCcXNHMEtoeW5GV29JTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" +export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli +export PINNIPED_TEST_CLI_OIDC_CALLBACK_URL=http://127.0.0.1:48095/callback +export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com +export PINNIPED_TEST_CLI_OIDC_PASSWORD=9306dcb43f0f8d0ccbad3d431c05940d +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjekNDQVJxZ0F3SUJBZ0lVUmE4OENCQWhwbnpNVmt3bmJtQnJ2RXZQdzdVd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTRNamt4T1RBME1EQmFGdzB5T0RBNApNamN4T1RBME1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVN1cWVzRStZM1RwWER1c0lKSUFkUHVQU3N5Q3BzUGVUM3BhYnZHdTIwRlpNYXEKTWZLejJrZFlqenhKNlN4b2lTM3dmSkFwc0VRRU9MV1NTaG51QmlrdG8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVam5Ua3dPc1NhbHVHOXZlcnBtc0VWVGRLCjZZd3dDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdkeTNUcFA3WUFXaVdaaWV6WFBBVVhLOWNIWDJmUW9GVndFZGIKaGhDSDRib0NJR2trNTg5VzZIcHRUMHFVR0sreG9YbzkzeXA4NDBCcXNHMEtoeW5GV29JTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES="offline_access,email" +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM=email +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM=groups +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_ID=pinniped-supervisor +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_SECRET=pinniped-supervisor-secret +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL=https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME=pinny@example.com +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=9306dcb43f0f8d0ccbad3d431c05940d +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS= # Dex's local user store does not let us configure groups. +export PINNIPED_TEST_API_GROUP_SUFFIX='pinniped.dev' +# PINNIPED_TEST_SHELL_CONTAINER_IMAGE should be a container which includes bash and sleep, used by some tests. +export PINNIPED_TEST_SHELL_CONTAINER_IMAGE="ghcr.io/pinniped-ci-bot/test-kubectl:latest" + +# We can't set up an in-cluster active directory instance, but +# if you have an active directory instance that you wish to run the tests against, +# specify a script to set the ad-related environment variables. +# You will need to set the environment variables that start with "PINNIPED_TEST_AD_" +# found in pinniped/test/testlib/env.go. +if [[ "" != "" ]]; then + source +fi + +read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# The name of the cluster type. +kubernetesDistribution: Kind + +# Describe the capabilities of the cluster against which the integration tests will run. +capabilities: + + # Is it possible to borrow the cluster's signing key from the kube API server? + clusterSigningKeyIsAvailable: true + + # Will the cluster successfully provision a load balancer if requested? + hasExternalLoadBalancerProvider: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true + + # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies? + canReachInternetLDAPPorts: true +PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF + +export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML diff --git a/deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml b/deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml new file mode 100644 index 00000000..ce305a12 --- /dev/null +++ b/deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml @@ -0,0 +1,2662 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kapp-controller +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kapp-controller-packaging-global +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.data.packaging.carvel.dev +spec: + group: data.packaging.carvel.dev + groupPriorityMinimum: 100 + service: + name: packaging-api + namespace: kapp-controller + version: v1alpha1 + versionPriority: 100 +--- +apiVersion: v1 +kind: Service +metadata: + name: packaging-api + namespace: kapp-controller +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: kapp-controller +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: internalpackagemetadatas.internal.packaging.carvel.dev +spec: + group: internal.packaging.carvel.dev + names: + kind: InternalPackageMetadata + listKind: InternalPackageMetadataList + plural: internalpackagemetadatas + singular: internalpackagemetadata + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + categories: + description: Classifiers of the package (optional; Array of strings) + items: + type: string + type: array + displayName: + description: Human friendly name of the package (optional; string) + type: string + iconSVGBase64: + description: Base64 encoded icon (optional; string) + type: string + longDescription: + description: Long description of the package (optional; string) + type: string + maintainers: + description: List of maintainer info for the package. Currently only + supports the name key. (optional; array of maintner info) + items: + properties: + name: + type: string + type: object + type: array + providerName: + description: Name of the entity distributing the package (optional; + string) + type: string + shortDescription: + description: Short desription of the package (optional; string) + type: string + supportDescription: + description: Description of the support available for the package + (optional; string) + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: internalpackages.internal.packaging.carvel.dev +spec: + group: internal.packaging.carvel.dev + names: + kind: InternalPackage + listKind: InternalPackageList + plural: internalpackages + singular: internalpackage + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + capacityRequirementsDescription: + description: 'System requirements needed to install the package. Note: + these requirements will not be verified by kapp-controller on installation. + (optional; string)' + type: string + includedSoftware: + description: IncludedSoftware can be used to show the software contents + of a Package. This is especially useful if the underlying versions + do not match the Package version + items: + description: IncludedSoftware contains the underlying Software Contents + of a Package + properties: + description: + type: string + displayName: + type: string + version: + type: string + type: object + type: array + kappControllerVersionSelection: + description: KappControllerVersionSelection specifies the versions + of kapp-controller which can install this package + properties: + constraints: + type: string + type: object + kubernetesVersionSelection: + description: KubernetesVersionSelection specifies the versions of + k8s which this package can be installed on + properties: + constraints: + type: string + type: object + licenses: + description: Description of the licenses that apply to the package + software (optional; Array of strings) + items: + type: string + type: array + refName: + description: The name of the PackageMetadata associated with this + version Must be a valid PackageMetadata name (see PackageMetadata + CR for details) Cannot be empty + type: string + releaseNotes: + description: Version release notes (optional; string) + type: string + releasedAt: + description: Timestamp of release (iso8601 formatted string; optional) + format: date-time + nullable: true + type: string + template: + properties: + spec: + properties: + canceled: + description: Cancels current and future reconciliations (optional; + default=false) + type: boolean + cluster: + description: Specifies that app should be deployed to destination + cluster; by default, cluster is same as where this resource + resides (optional; v0.5.0+) + properties: + kubeconfigSecretRef: + description: Specifies secret containing kubeconfig (required) + properties: + key: + description: Specifies key that contains kubeconfig + (optional) + type: string + name: + description: Specifies secret name within app's namespace + (required) + type: string + type: object + namespace: + description: Specifies namespace in destination cluster + (optional) + type: string + type: object + deploy: + items: + properties: + kapp: + description: Use kapp to deploy resources + properties: + delete: + description: Configuration for delete command (optional) + properties: + rawOptions: + description: Pass through options to kapp delete + (optional) + items: + type: string + type: array + type: object + inspect: + description: 'Configuration for inspect command + (optional) as of kapp-controller v0.31.0, inspect + is disabled by default add rawOptions or use an + empty inspect config like `inspect: {}` to enable' + properties: + rawOptions: + description: Pass through options to kapp inspect + (optional) + items: + type: string + type: array + type: object + intoNs: + description: Override namespace for all resources + (optional) + type: string + mapNs: + description: Provide custom namespace override mapping + (optional) + items: + type: string + type: array + rawOptions: + description: Pass through options to kapp deploy + (optional) + items: + type: string + type: array + type: object + type: object + type: array + fetch: + items: + properties: + git: + description: Uses git to clone repository + properties: + lfsSkipSmudge: + description: Skip lfs download (optional) + type: boolean + ref: + description: Branch, tag, commit; origin is the + name of the remote (optional) + type: string + refSelection: + description: Specifies a strategy to resolve to + an explicit ref (optional; v0.24.0+) + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + secretRef: + description: 'Secret with auth details. allowed + keys: ssh-privatekey, ssh-knownhosts, username, + password (optional) (if ssh-knownhosts is not + specified, git will not perform strict host checking)' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + subPath: + description: Grab only portion of repository (optional) + type: string + url: + description: http or ssh urls are supported (required) + type: string + type: object + helmChart: + description: Uses helm fetch to fetch specified chart + properties: + name: + description: 'Example: stable/redis' + type: string + repository: + properties: + secretRef: + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + url: + description: Repository url; scheme of oci:// + will fetch experimental helm oci chart (v0.19.0+) + (required) + type: string + type: object + version: + type: string + type: object + http: + description: Uses http library to fetch file + properties: + secretRef: + description: 'Secret to provide auth details (optional) + Secret may include one or more keys: username, + password' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + sha256: + description: Checksum to verify after download (optional) + type: string + subPath: + description: Grab only portion of download (optional) + type: string + url: + description: 'URL can point to one of following + formats: text, tgz, zip http and https url are + supported; plain file, tgz and tar types are supported + (required)' + type: string + type: object + image: + description: Pulls content from Docker/OCI registry + properties: + secretRef: + description: 'Secret may include one or more keys: + username, password, token. By default anonymous + access is used for authentication.' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + subPath: + description: Grab only portion of image (optional) + type: string + tagSelection: + description: Specifies a strategy to choose a tag + (optional; v0.24.0+) if specified, do not include + a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + url: + description: 'Docker image url; unqualified, tagged, + or digest references supported (required) Example: + username/app1-config:v0.1.0' + type: string + type: object + imgpkgBundle: + description: Pulls imgpkg bundle from Docker/OCI registry + (v0.17.0+) + properties: + image: + description: Docker image url; unqualified, tagged, + or digest references supported (required) + type: string + secretRef: + description: 'Secret may include one or more keys: + username, password, token. By default anonymous + access is used for authentication.' + properties: + name: + description: Object is expected to be within + same namespace + type: string + type: object + tagSelection: + description: Specifies a strategy to choose a tag + (optional; v0.24.0+) if specified, do not include + a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + type: object + inline: + description: Pulls content from within this resource; + or other resources in the cluster + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their + content; not recommended for sensitive values + as CR is not encrypted (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config + maps; data values are recommended to be placed + in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + path: + description: Relative path to place the fetched artifacts + type: string + type: object + type: array + noopDelete: + description: Deletion requests for the App will result in + the App CR being deleted, but its associated resources will + not be deleted (optional; default=false; v0.18.0+) + type: boolean + paused: + description: Pauses _future_ reconciliation; does _not_ affect + currently running reconciliation (optional; default=false) + type: boolean + serviceAccountName: + description: Specifies that app should be deployed authenticated + via given service account, found in this namespace (optional; + v0.6.0+) + type: string + syncPeriod: + description: Specifies the length of time to wait, in time + + unit format, before reconciling. Always >= 30s. If value + below 30s is specified, 30s will be used. (optional; v0.9.0+; + default=30s) + type: string + template: + items: + properties: + cue: + properties: + inputExpression: + description: Cue expression for single path component, + can be used to unify ValuesFrom into a given field + (optional) + type: string + outputExpression: + description: Cue expression to output, default will + export all visible fields (optional) + type: string + paths: + description: Explicit list of files/directories + (optional) + items: + type: string + type: array + valuesFrom: + description: Provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects + a field of the app: only annotations, + labels, uid, name and namespace + are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running + KappController version, defaults + (empty) to retrieving the current + running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running + KubernetesAPIs from cluster, defaults + (empty) to retrieving the APIs + from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running + Kubernetes version from cluster, + defaults (empty) to retrieving + the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + helmTemplate: + description: Use helm template command to render helm + chart + properties: + kubernetesAPIs: + description: 'Optional: Use kubernetes group/versions + resources available in the live cluster' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get Kubernetes version, + defaults (empty) to retrieving the version from + the cluster. Can be manually overridden to a value + instead.' + properties: + version: + type: string + type: object + name: + description: Set name explicitly, default is App + CR's name (optional; v0.13.0+) + type: string + namespace: + description: Set namespace explicitly, default is + App CR's namespace (optional; v0.13.0+) + type: string + path: + description: Path to chart (optional; v0.13.0+) + type: string + valuesFrom: + description: One or more secrets, config maps, paths + that provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects + a field of the app: only annotations, + labels, uid, name and namespace + are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running + KappController version, defaults + (empty) to retrieving the current + running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running + KubernetesAPIs from cluster, defaults + (empty) to retrieving the APIs + from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running + Kubernetes version from cluster, + defaults (empty) to retrieving + the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + jsonnet: + description: TODO implement jsonnet + type: object + kbld: + description: Use kbld to resolve image references to + use digests + properties: + paths: + items: + type: string + type: array + type: object + kustomize: + description: TODO implement kustomize + type: object + sops: + description: Use sops to decrypt *.sops.yml files (optional; + v0.11.0+) + properties: + age: + properties: + privateKeysSecretRef: + description: Secret with private armored PGP + private keys (required) + properties: + name: + type: string + type: object + type: object + paths: + description: Lists paths to decrypt explicitly (optional; + v0.13.0+) + items: + type: string + type: array + pgp: + description: Use PGP to decrypt files (required) + properties: + privateKeysSecretRef: + description: Secret with private armored PGP + private keys (required) + properties: + name: + type: string + type: object + type: object + type: object + ytt: + description: Use ytt to template configuration + properties: + fileMarks: + description: Control metadata about input files + passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ + for more details + items: + type: string + type: array + ignoreUnknownComments: + description: Ignores comments that ytt doesn't recognize + (optional; default=false) + type: boolean + inline: + description: Specify additional files, including + data values (optional) + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their + content; not recommended for sensitive values + as CR is not encrypted (optional) + type: object + pathsFrom: + description: Specifies content via secrets and + config maps; data values are recommended to + be placed in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place + files found in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + paths: + description: Lists paths to provide to ytt explicitly + (optional) + items: + type: string + type: array + strict: + description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md + (optional; default=false) + type: boolean + valuesFrom: + description: Provide values via ytt's --data-values-file + (optional; v0.19.0-alpha.9) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects + a field of the app: only annotations, + labels, uid, name and namespace + are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running + KappController version, defaults + (empty) to retrieving the current + running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running + KubernetesAPIs from cluster, defaults + (empty) to retrieving the APIs + from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running + Kubernetes version from cluster, + defaults (empty) to retrieving + the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + type: object + type: array + type: object + required: + - spec + type: object + valuesSchema: + description: valuesSchema can be used to show template values that + can be configured by users when a Package is installed in an OpenAPI + schema format. + properties: + openAPIv3: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + version: + description: Package version; Referenced by PackageInstall; Must be + valid semver (required) Cannot be empty + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: apps.kappctrl.k14s.io +spec: + group: kappctrl.k14s.io + names: + categories: + - carvel + kind: App + listKind: AppList + plural: apps + singular: app + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Friendly description + jsonPath: .status.friendlyDescription + name: Description + type: string + - description: Last time app started being deployed. Does not mean anything was + changed. + jsonPath: .status.deploy.startedAt + name: Since-Deploy + type: date + - description: Time since creation + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: 'An App is a set of Kubernetes resources. These resources could + span any number of namespaces or could be cluster-wide (e.g. CRDs). An App + is represented in kapp-controller using a App CR. The App CR comprises of + three main sections: spec.fetch – declare source for fetching configuration + and OCI images spec.template – declare templating tool and values spec.deploy + – declare deployment tool and any deploy specific configuration' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + canceled: + description: Cancels current and future reconciliations (optional; + default=false) + type: boolean + cluster: + description: Specifies that app should be deployed to destination + cluster; by default, cluster is same as where this resource resides + (optional; v0.5.0+) + properties: + kubeconfigSecretRef: + description: Specifies secret containing kubeconfig (required) + properties: + key: + description: Specifies key that contains kubeconfig (optional) + type: string + name: + description: Specifies secret name within app's namespace + (required) + type: string + type: object + namespace: + description: Specifies namespace in destination cluster (optional) + type: string + type: object + deploy: + items: + properties: + kapp: + description: Use kapp to deploy resources + properties: + delete: + description: Configuration for delete command (optional) + properties: + rawOptions: + description: Pass through options to kapp delete (optional) + items: + type: string + type: array + type: object + inspect: + description: 'Configuration for inspect command (optional) + as of kapp-controller v0.31.0, inspect is disabled by + default add rawOptions or use an empty inspect config + like `inspect: {}` to enable' + properties: + rawOptions: + description: Pass through options to kapp inspect (optional) + items: + type: string + type: array + type: object + intoNs: + description: Override namespace for all resources (optional) + type: string + mapNs: + description: Provide custom namespace override mapping (optional) + items: + type: string + type: array + rawOptions: + description: Pass through options to kapp deploy (optional) + items: + type: string + type: array + type: object + type: object + type: array + fetch: + items: + properties: + git: + description: Uses git to clone repository + properties: + lfsSkipSmudge: + description: Skip lfs download (optional) + type: boolean + ref: + description: Branch, tag, commit; origin is the name of + the remote (optional) + type: string + refSelection: + description: Specifies a strategy to resolve to an explicit + ref (optional; v0.24.0+) + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + secretRef: + description: 'Secret with auth details. allowed keys: ssh-privatekey, + ssh-knownhosts, username, password (optional) (if ssh-knownhosts + is not specified, git will not perform strict host checking)' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of repository (optional) + type: string + url: + description: http or ssh urls are supported (required) + type: string + type: object + helmChart: + description: Uses helm fetch to fetch specified chart + properties: + name: + description: 'Example: stable/redis' + type: string + repository: + properties: + secretRef: + properties: + name: + description: Object is expected to be within same + namespace + type: string + type: object + url: + description: Repository url; scheme of oci:// will fetch + experimental helm oci chart (v0.19.0+) (required) + type: string + type: object + version: + type: string + type: object + http: + description: Uses http library to fetch file + properties: + secretRef: + description: 'Secret to provide auth details (optional) + Secret may include one or more keys: username, password' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + sha256: + description: Checksum to verify after download (optional) + type: string + subPath: + description: Grab only portion of download (optional) + type: string + url: + description: 'URL can point to one of following formats: + text, tgz, zip http and https url are supported; plain + file, tgz and tar types are supported (required)' + type: string + type: object + image: + description: Pulls content from Docker/OCI registry + properties: + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of image (optional) + type: string + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + url: + description: 'Docker image url; unqualified, tagged, or + digest references supported (required) Example: username/app1-config:v0.1.0' + type: string + type: object + imgpkgBundle: + description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+) + properties: + image: + description: Docker image url; unqualified, tagged, or digest + references supported (required) + type: string + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + type: object + inline: + description: Pulls content from within this resource; or other + resources in the cluster + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their content; + not recommended for sensitive values as CR is not encrypted + (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config maps; + data values are recommended to be placed in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + path: + description: Relative path to place the fetched artifacts + type: string + type: object + type: array + noopDelete: + description: Deletion requests for the App will result in the App + CR being deleted, but its associated resources will not be deleted + (optional; default=false; v0.18.0+) + type: boolean + paused: + description: Pauses _future_ reconciliation; does _not_ affect currently + running reconciliation (optional; default=false) + type: boolean + serviceAccountName: + description: Specifies that app should be deployed authenticated via + given service account, found in this namespace (optional; v0.6.0+) + type: string + syncPeriod: + description: Specifies the length of time to wait, in time + unit + format, before reconciling. Always >= 30s. If value below 30s is + specified, 30s will be used. (optional; v0.9.0+; default=30s) + type: string + template: + items: + properties: + cue: + properties: + inputExpression: + description: Cue expression for single path component, can + be used to unify ValuesFrom into a given field (optional) + type: string + outputExpression: + description: Cue expression to output, default will export + all visible fields (optional) + type: string + paths: + description: Explicit list of files/directories (optional) + items: + type: string + type: array + valuesFrom: + description: Provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects a field + of the app: only annotations, labels, + uid, name and namespace are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running KappController + version, defaults (empty) to retrieving + the current running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running KubernetesAPIs + from cluster, defaults (empty) to retrieving + the APIs from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running Kubernetes + version from cluster, defaults (empty) + to retrieving the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + helmTemplate: + description: Use helm template command to render helm chart + properties: + kubernetesAPIs: + description: 'Optional: Use kubernetes group/versions resources + available in the live cluster' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get Kubernetes version, defaults + (empty) to retrieving the version from the cluster. Can + be manually overridden to a value instead.' + properties: + version: + type: string + type: object + name: + description: Set name explicitly, default is App CR's name + (optional; v0.13.0+) + type: string + namespace: + description: Set namespace explicitly, default is App CR's + namespace (optional; v0.13.0+) + type: string + path: + description: Path to chart (optional; v0.13.0+) + type: string + valuesFrom: + description: One or more secrets, config maps, paths that + provide values (optional) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects a field + of the app: only annotations, labels, + uid, name and namespace are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running KappController + version, defaults (empty) to retrieving + the current running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running KubernetesAPIs + from cluster, defaults (empty) to retrieving + the APIs from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running Kubernetes + version from cluster, defaults (empty) + to retrieving the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + jsonnet: + description: TODO implement jsonnet + type: object + kbld: + description: Use kbld to resolve image references to use digests + properties: + paths: + items: + type: string + type: array + type: object + kustomize: + description: TODO implement kustomize + type: object + sops: + description: Use sops to decrypt *.sops.yml files (optional; + v0.11.0+) + properties: + age: + properties: + privateKeysSecretRef: + description: Secret with private armored PGP private + keys (required) + properties: + name: + type: string + type: object + type: object + paths: + description: Lists paths to decrypt explicitly (optional; + v0.13.0+) + items: + type: string + type: array + pgp: + description: Use PGP to decrypt files (required) + properties: + privateKeysSecretRef: + description: Secret with private armored PGP private + keys (required) + properties: + name: + type: string + type: object + type: object + type: object + ytt: + description: Use ytt to template configuration + properties: + fileMarks: + description: Control metadata about input files passed to + ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ + for more details + items: + type: string + type: array + ignoreUnknownComments: + description: Ignores comments that ytt doesn't recognize + (optional; default=false) + type: boolean + inline: + description: Specify additional files, including data values + (optional) + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their content; + not recommended for sensitive values as CR is not + encrypted (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config + maps; data values are recommended to be placed in + secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place files + found in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place files + found in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + paths: + description: Lists paths to provide to ytt explicitly (optional) + items: + type: string + type: array + strict: + description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md + (optional; default=false) + type: boolean + valuesFrom: + description: Provide values via ytt's --data-values-file + (optional; v0.19.0-alpha.9) + items: + properties: + configMapRef: + properties: + name: + type: string + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldPath: + description: 'Required: Selects a field + of the app: only annotations, labels, + uid, name and namespace are supported.' + type: string + kappControllerVersion: + description: 'Optional: Get running KappController + version, defaults (empty) to retrieving + the current running version.. Can be manually + supplied instead.' + properties: + version: + type: string + type: object + kubernetesAPIs: + description: 'Optional: Get running KubernetesAPIs + from cluster, defaults (empty) to retrieving + the APIs from the cluster. Can be manually + supplied instead, e.g ["group/version", + "group2/version2"]' + properties: + groupVersions: + items: + type: string + type: array + type: object + kubernetesVersion: + description: 'Optional: Get running Kubernetes + version from cluster, defaults (empty) + to retrieving the version from the cluster. + Can be manually supplied instead.' + properties: + version: + type: string + type: object + name: + type: string + type: object + type: array + type: object + path: + type: string + secretRef: + properties: + name: + type: string + type: object + type: object + type: array + type: object + type: object + type: array + type: object + status: + properties: + conditions: + items: + properties: + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, this should be a short, machine understandable + string that gives the reason for condition's last transition. + If it reports "ResizeStarted" that means the underlying persistent + volume is being resized. + type: string + status: + type: string + type: + description: ConditionType represents reconciler state + type: string + required: + - status + - type + type: object + type: array + consecutiveReconcileFailures: + type: integer + consecutiveReconcileSuccesses: + type: integer + deploy: + properties: + error: + type: string + exitCode: + type: integer + finished: + type: boolean + kapp: + description: KappDeployStatus contains the associated AppCR deployed + resources + properties: + associatedResources: + description: AssociatedResources contains the associated App + label, namespaces and GKs + properties: + groupKinds: + items: + description: GroupKind specifies a Group and a Kind, + but does not force a version. This is useful for + identifying concepts during lookup stages without + having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + label: + type: string + namespaces: + items: + type: string + type: array + type: object + type: object + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + fetch: + properties: + error: + type: string + exitCode: + type: integer + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + friendlyDescription: + type: string + inspect: + properties: + error: + type: string + exitCode: + type: integer + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + managedAppName: + type: string + observedGeneration: + description: Populated based on metadata.generation when controller + observes a change to the resource; if this value is out of data, + other status fields do not reflect latest state + format: int64 + type: integer + template: + properties: + error: + type: string + exitCode: + type: integer + stderr: + type: string + updatedAt: + format: date-time + type: string + type: object + usefulErrorMessage: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: packageinstalls.packaging.carvel.dev +spec: + group: packaging.carvel.dev + names: + categories: + - carvel + kind: PackageInstall + listKind: PackageInstallList + plural: packageinstalls + shortNames: + - pkgi + singular: packageinstall + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: PackageMetadata name + jsonPath: .spec.packageRef.refName + name: Package name + type: string + - description: PackageMetadata version + jsonPath: .status.version + name: Package version + type: string + - description: Friendly description + jsonPath: .status.friendlyDescription + name: Description + type: string + - description: Time since creation + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: A Package Install is an actual installation of a package and + its underlying resources on a Kubernetes cluster. It is represented in kapp-controller + by a PackageInstall CR. A PackageInstall CR must reference a Package CR. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + canceled: + description: Canceled when set to true will stop all active changes + type: boolean + cluster: + description: Specifies that Package should be deployed to destination + cluster; by default, cluster is same as where this resource resides + (optional) + properties: + kubeconfigSecretRef: + description: Specifies secret containing kubeconfig (required) + properties: + key: + description: Specifies key that contains kubeconfig (optional) + type: string + name: + description: Specifies secret name within app's namespace + (required) + type: string + type: object + namespace: + description: Specifies namespace in destination cluster (optional) + type: string + type: object + noopDelete: + description: When NoopDelete set to true, PackageInstall deletion + should delete PackageInstall/App CR but preserve App's associated + resources. + type: boolean + packageRef: + description: Specifies the name of the package to install (required) + properties: + refName: + type: string + versionSelection: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + paused: + description: Paused when set to true will ignore all pending changes, + once it set back to false, pending changes will be applied + type: boolean + serviceAccountName: + description: Specifies service account that will be used to install + underlying package contents + type: string + syncPeriod: + description: Controls frequency of App reconciliation in time + unit + format. Always >= 30s. If value below 30s is specified, 30s will + be used. + type: string + values: + description: Values to be included in package's templating step (currently + only included in the first templating step) (optional) + items: + properties: + secretRef: + properties: + key: + type: string + name: + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + items: + properties: + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, this should be a short, machine understandable + string that gives the reason for condition's last transition. + If it reports "ResizeStarted" that means the underlying persistent + volume is being resized. + type: string + status: + type: string + type: + description: ConditionType represents reconciler state + type: string + required: + - status + - type + type: object + type: array + friendlyDescription: + type: string + lastAttemptedVersion: + description: LastAttemptedVersion specifies what version was last + attempted to be installed. It does _not_ indicate it was successfully + installed. + type: string + observedGeneration: + description: Populated based on metadata.generation when controller + observes a change to the resource; if this value is out of data, + other status fields do not reflect latest state + format: int64 + type: integer + usefulErrorMessage: + type: string + version: + description: TODO this is desired resolved version (not actually deployed) + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + packaging.carvel.dev/global-namespace: kapp-controller-packaging-global + name: packagerepositories.packaging.carvel.dev +spec: + group: packaging.carvel.dev + names: + categories: + - carvel + kind: PackageRepository + listKind: PackageRepositoryList + plural: packagerepositories + shortNames: + - pkgr + singular: packagerepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Time since creation + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Friendly description + jsonPath: .status.friendlyDescription + name: Description + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A package repository is a collection of packages and their metadata. + Similar to a maven repository or a rpm repository, adding a package repository + to a cluster gives users of that cluster the ability to install any of the + packages from that repository. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + fetch: + properties: + git: + description: Uses git to clone repository containing package list + properties: + lfsSkipSmudge: + description: Skip lfs download (optional) + type: boolean + ref: + description: Branch, tag, commit; origin is the name of the + remote (optional) + type: string + refSelection: + description: Specifies a strategy to resolve to an explicit + ref (optional; v0.24.0+) + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + secretRef: + description: 'Secret with auth details. allowed keys: ssh-privatekey, + ssh-knownhosts, username, password (optional) (if ssh-knownhosts + is not specified, git will not perform strict host checking)' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of repository (optional) + type: string + url: + description: http or ssh urls are supported (required) + type: string + type: object + http: + description: Uses http library to fetch file containing packages + properties: + secretRef: + description: 'Secret to provide auth details (optional) Secret + may include one or more keys: username, password' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + sha256: + description: Checksum to verify after download (optional) + type: string + subPath: + description: Grab only portion of download (optional) + type: string + url: + description: 'URL can point to one of following formats: text, + tgz, zip http and https url are supported; plain file, tgz + and tar types are supported (required)' + type: string + type: object + image: + description: Image url; unqualified, tagged, or digest references + supported (required) + properties: + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + subPath: + description: Grab only portion of image (optional) + type: string + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + url: + description: 'Docker image url; unqualified, tagged, or digest + references supported (required) Example: username/app1-config:v0.1.0' + type: string + type: object + imgpkgBundle: + description: Pulls imgpkg bundle from Docker/OCI registry + properties: + image: + description: Docker image url; unqualified, tagged, or digest + references supported (required) + type: string + secretRef: + description: 'Secret may include one or more keys: username, + password, token. By default anonymous access is used for + authentication.' + properties: + name: + description: Object is expected to be within same namespace + type: string + type: object + tagSelection: + description: Specifies a strategy to choose a tag (optional; + v0.24.0+) if specified, do not include a tag in url key + properties: + semver: + properties: + constraints: + type: string + prereleases: + properties: + identifiers: + items: + type: string + type: array + type: object + type: object + type: object + type: object + inline: + description: Pull content from within this resource; or other + resources in the cluster + properties: + paths: + additionalProperties: + type: string + description: Specifies mapping of paths to their content; + not recommended for sensitive values as CR is not encrypted + (optional) + type: object + pathsFrom: + description: Specifies content via secrets and config maps; + data values are recommended to be placed in secrets (optional) + items: + properties: + configMapRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + secretRef: + properties: + directoryPath: + description: Specifies where to place files found + in secret (optional) + type: string + name: + type: string + type: object + type: object + type: array + type: object + type: object + paused: + description: Paused when set to true will ignore all pending changes, + once it set back to false, pending changes will be applied + type: boolean + syncPeriod: + description: Controls frequency of PackageRepository reconciliation + type: string + required: + - fetch + type: object + status: + properties: + conditions: + items: + properties: + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, this should be a short, machine understandable + string that gives the reason for condition's last transition. + If it reports "ResizeStarted" that means the underlying persistent + volume is being resized. + type: string + status: + type: string + type: + description: ConditionType represents reconciler state + type: string + required: + - status + - type + type: object + type: array + consecutiveReconcileFailures: + type: integer + consecutiveReconcileSuccesses: + type: integer + deploy: + properties: + error: + type: string + exitCode: + type: integer + finished: + type: boolean + kapp: + description: KappDeployStatus contains the associated AppCR deployed + resources + properties: + associatedResources: + description: AssociatedResources contains the associated App + label, namespaces and GKs + properties: + groupKinds: + items: + description: GroupKind specifies a Group and a Kind, + but does not force a version. This is useful for + identifying concepts during lookup stages without + having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + label: + type: string + namespaces: + items: + type: string + type: array + type: object + type: object + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + fetch: + properties: + error: + type: string + exitCode: + type: integer + startedAt: + format: date-time + type: string + stderr: + type: string + stdout: + type: string + updatedAt: + format: date-time + type: string + type: object + friendlyDescription: + type: string + observedGeneration: + description: Populated based on metadata.generation when controller + observes a change to the resource; if this value is out of data, + other status fields do not reflect latest state + format: int64 + type: integer + template: + properties: + error: + type: string + exitCode: + type: integer + stderr: + type: string + updatedAt: + format: date-time + type: string + type: object + usefulErrorMessage: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + kapp-controller.carvel.dev/version: v0.47.0 + kbld.k14s.io/images: | + - origins: + - local: + path: /home/runner/work/kapp-controller/kapp-controller + - git: + dirty: true + remoteURL: https://github.com/carvel-dev/kapp-controller + sha: 2165849357e783c711ff11e500a8a763c3a7b0a5 + tags: + - v0.47.0 + url: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6 + name: kapp-controller + namespace: kapp-controller +spec: + replicas: 1 + revisionHistoryLimit: 0 + selector: + matchLabels: + app: kapp-controller + template: + metadata: + labels: + app: kapp-controller + spec: + containers: + - args: + - -packaging-global-namespace=kapp-controller-packaging-global + - -enable-api-priority-and-fairness=True + - -tls-cipher-suites= + env: + - name: KAPPCTRL_MEM_TMP_DIR + value: /etc/kappctrl-mem-tmp + - name: KAPPCTRL_SIDECAREXEC_SOCK + value: /etc/kappctrl-mem-tmp/sidecarexec.sock + - name: KAPPCTRL_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KAPPCTRL_API_PORT + value: "10350" + image: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6 + name: kapp-controller + ports: + - containerPort: 10350 + name: api + protocol: TCP + resources: + requests: + cpu: 120m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/kappctrl-mem-tmp + name: template-fs + - mountPath: /home/kapp-controller + name: home + - args: + - --sidecarexec + env: + - name: KAPPCTRL_SIDECAREXEC_SOCK + value: /etc/kappctrl-mem-tmp/sidecarexec.sock + - name: IMGPKG_ACTIVE_KEYCHAINS + value: gke,aks,ecr + image: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6 + name: kapp-controller-sidecarexec + resources: + requests: + cpu: 120m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/kappctrl-mem-tmp + name: template-fs + - mountPath: /home/kapp-controller + name: home + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: empty-sa + serviceAccount: kapp-controller-sa + volumes: + - emptyDir: + medium: Memory + name: template-fs + - emptyDir: + medium: Memory + name: home + - emptyDir: {} + name: empty-sa +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kapp-controller-sa + namespace: kapp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kapp-controller-cluster-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - kappctrl.k14s.io + resources: + - apps + - apps/status + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packageinstalls + - packageinstalls/status + - packageinstalls/finalizers + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packagerepositories + - packagerepositories/status + verbs: + - '*' +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackagemetadatas + verbs: + - '*' +- apiGroups: + - data.packaging.carvel.dev + resources: + - packagemetadatas + - packagemetadatas/status + verbs: + - '*' +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackages + verbs: + - '*' +- apiGroups: + - data.packaging.carvel.dev + resources: + - packages + - packages/status + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - update + - get +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch + - get + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kapp-controller-user-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - kappctrl.k14s.io + resources: + - apps + - apps/status + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packageinstalls + - packageinstalls/status + - packageinstalls/finalizers + verbs: + - '*' +- apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +- apiGroups: + - packaging.carvel.dev + resources: + - packagerepositories + - packagerepositories/status + verbs: + - get + - list + - watch +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackagemetadatas + verbs: + - get + - list + - watch +- apiGroups: + - data.packaging.carvel.dev + resources: + - packagemetadatas + - packagemetadatas/status + verbs: + - get + - list + - watch +- apiGroups: + - internal.packaging.carvel.dev + resources: + - internalpackages + verbs: + - get + - list + - watch +- apiGroups: + - data.packaging.carvel.dev + resources: + - packages + - packages/status + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kapp-controller-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kapp-controller-cluster-role +subjects: +- kind: ServiceAccount + name: kapp-controller-sa + namespace: kapp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pkg-apiserver:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: kapp-controller-sa + namespace: kapp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pkgserver-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: kapp-controller-sa + namespace: kapp-controller diff --git a/deploy_carvel/_dev.SCRATCH/supervisor.deployment.old.yaml b/deploy_carvel/_dev.SCRATCH/supervisor.deployment.old.yaml new file mode 100644 index 00000000..90f244f6 --- /dev/null +++ b/deploy_carvel/_dev.SCRATCH/supervisor.deployment.old.yaml @@ -0,0 +1,235 @@ +#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! SPDX-License-Identifier: Apache-2.0 + +#@ load("@ytt:data", "data") +#@ load("@ytt:yaml", "yaml") +#@ load("helpers.lib.yaml", +#@ "defaultLabel", +#@ "labels", +#@ "deploymentPodLabel", +#@ "namespace", +#@ "defaultResourceName", +#@ "defaultResourceNameWithSuffix", +#@ "pinnipedDevAPIGroupWithPrefix", +#@ "getPinnipedConfigMapData", +#@ "hasUnixNetworkEndpoint", +#@ ) +#@ load("@ytt:template", "template") +#@ if not data.values.into_namespace: +--- +apiVersion: v1 +kind: Namespace +metadata: + name: #@ data.values.namespace + labels: #@ labels() +#@ end +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: #@ defaultResourceName() + namespace: #@ namespace() + labels: #@ labels() +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: #@ defaultResourceNameWithSuffix("static-config") + namespace: #@ namespace() + labels: #@ labels() +data: + #@yaml/text-templated-strings + pinniped.yaml: #@ yaml.encode(getPinnipedConfigMapData()) +--- +#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": +apiVersion: v1 +kind: Secret +metadata: + name: image-pull-secret + namespace: #@ namespace() + labels: #@ labels() +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson +#@ end +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: #@ defaultResourceName() + namespace: #@ namespace() + labels: #@ labels() +spec: + replicas: #@ data.values.replicas + selector: + #! In hindsight, this should have been deploymentPodLabel(), but this field is immutable so changing it would break upgrades. + matchLabels: #@ defaultLabel() + template: + metadata: + labels: + #! This has always included defaultLabel(), which is used by this Deployment's selector. + _: #@ template.replace(defaultLabel()) + #! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically + #! without accidentally selecting pods from any future Deployments which might also want to use the defaultLabel(). + _: #@ template.replace(deploymentPodLabel()) + spec: + securityContext: + runAsUser: #@ data.values.run_as_user + runAsGroup: #@ data.values.run_as_group + serviceAccountName: #@ defaultResourceName() + #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": + imagePullSecrets: + - name: image-pull-secret + #@ end + containers: + - name: #@ defaultResourceName() + #@ if data.values.image_digest: + image: #@ data.values.image_repo + "@" + data.values.image_digest + #@ else: + image: #@ data.values.image_repo + ":" + data.values.image_tag + #@ end + imagePullPolicy: IfNotPresent + command: + - pinniped-supervisor + - /etc/podinfo + - /etc/config/pinniped.yaml + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + #! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a + #! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's + #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error. + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + #! If OIDCClient CRs are being used, then the Supervisor needs enough CPU to run expensive bcrypt + #! operations inside the implementation of the token endpoint for any authcode flows performed by those + #! clients, so for that use case administrators may wish to increase the requests.cpu value to more + #! closely align with their anticipated needs. Increasing this value will cause Kubernetes to give more + #! available CPU to this process during times of high CPU contention. By default, don't ask for too much + #! because that would make it impossible to install the Pinniped Supervisor on small clusters. + #! Aside from performing bcrypts at the token endpoint for those clients, the Supervisor is not a + #! particularly CPU-intensive process. + cpu: "100m" #! by default, request one-tenth of a CPU + memory: "128Mi" + limits: + #! By declaring a CPU limit that is not equal to the CPU request value, the Supervisor will be classified + #! by Kubernetes to have "burstable" quality of service. + #! See https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-burstable + #! If OIDCClient CRs are being used, and lots of simultaneous users have active sessions, then it is hard + #! pre-determine what the CPU limit should be for that use case. Guessing too low would cause the + #! pod's CPU usage to be throttled, resulting in poor performance. Guessing too high would allow clients + #! to cause the usage of lots of CPU resources. Administrators who have a good sense of anticipated usage + #! patterns may choose to set the requests.cpu and limits.cpu differently from these defaults. + cpu: "1000m" #! by default, throttle each pod's usage at 1 CPU + memory: "128Mi" + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: podinfo + mountPath: /etc/podinfo + readOnly: true + #@ if hasUnixNetworkEndpoint(): + - name: socket + mountPath: /pinniped_socket + readOnly: false #! writable to allow for socket use + #@ end + ports: + - containerPort: 8443 + protocol: TCP + env: + #@ if data.values.https_proxy: + - name: HTTPS_PROXY + value: #@ data.values.https_proxy + #@ end + #@ if data.values.https_proxy and data.values.no_proxy: + - name: NO_PROXY + value: #@ data.values.no_proxy + #@ end + livenessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 15 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: config-volume + configMap: + name: #@ defaultResourceNameWithSuffix("static-config") + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + - path: "name" + fieldRef: + fieldPath: metadata.name + #@ if hasUnixNetworkEndpoint(): + - name: socket + emptyDir: {} + #@ end + #! This will help make sure our multiple pods run on different nodes, making + #! our deployment "more" "HA". + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchLabels: #@ deploymentPodLabel() + topologyKey: kubernetes.io/hostname +--- +apiVersion: v1 +kind: Service +metadata: + #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below. + name: #@ defaultResourceNameWithSuffix("api") + namespace: #@ namespace() + labels: #@ labels() + #! prevent kapp from altering the selector of our services to match kubectl behavior + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: #@ deploymentPodLabel() + ports: + - protocol: TCP + port: 443 + targetPort: 10250 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.clientsecret.supervisor") + labels: #@ labels() +spec: + version: v1alpha1 + group: #@ pinnipedDevAPIGroupWithPrefix("clientsecret.supervisor") + groupPriorityMinimum: 9900 + versionPriority: 15 + #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. + service: + name: #@ defaultResourceNameWithSuffix("api") + namespace: #@ namespace() + port: 443 diff --git a/deploy_carvel/deploy.sh b/deploy_carvel/deploy.sh index 3d73627a..c71d3e6a 100755 --- a/deploy_carvel/deploy.sh +++ b/deploy_carvel/deploy.sh @@ -44,6 +44,11 @@ function check_dependency() { exit 1 fi } +# TODO: add support for +# Read the env vars output by hack/prepare-for-integration-tests.sh +# source /tmp/integration-test-env +# +# # Deploy the PackageRepository and Package resources # Requires a running kind cluster # Does not configure Pinniped @@ -212,8 +217,8 @@ stringData: values.yml: | --- namespace: "${RESOURCE_NAMESPACE}" - app_name: "${resource_name}-app-installed-via-package" - replicas: 3 + app_name: "${resource_name}" # this affects services and things, needs to be just the resource name to match hack scripts + replicas: 1 # keep logs testing easy EOF KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall" @@ -233,12 +238,31 @@ kubectl get deploy -n supervisor kubectl get deploy -n concierge +# FLOW: +# kind delete cluster --name pinniped +# ./hack/prepare-for-integration-tests.sh --alternate-deploy-supervisor $(pwd)/deploy_carvel/deploy.sh --alternate-deploy-concierge $(pwd)/deploy_carvel/deploy.sh +# ./hack/prepare-supervisor-on-kind.sh --oidc +# # TODO: # - change the namespace to whatever it is in ./hack/prepare-for-integration-tests.sh # - make a script that can work for $alternate-deploy # - then run ./hack/prepare-supervisor-on-kind.sh and make sure it works - - +# +# +# openssl x509 -text -noout -in ./root_ca.crt +#curl --insecure https://127.0.0.1:61759/live +#{ +# "kind": "Status", +# "apiVersion": "v1", +# "metadata": {}, +# "status": "Failure", +# "message": "forbidden: User \"system:anonymous\" cannot get path \"/live\"", +# "reason": "Forbidden", +# "details": {}, +# "code": 403 +#}% +#curl --insecure https://127.0.0.1:61759/readyz +#ok% # # diff --git a/deploy_carvel/deploy_supervisor.sh b/deploy_carvel/deploy_supervisor.sh index 7aa13245..05de8429 100755 --- a/deploy_carvel/deploy_supervisor.sh +++ b/deploy_carvel/deploy_supervisor.sh @@ -30,75 +30,3 @@ echo_blue() { echo -e "${BLUE}>> $@${DEFAULT}\n" # printf "${BLUE}$@${DEFAULT}" } - -# borrowed from /tmp/integration-test-env -# TODO: make new scripts work with the old script? -# or how to ensure we can install both -# - the old way, ytt or plain yamls -# - the new way, with the PackageRepository and Packages -# export PINNIPED_TEST_SUPERVISOR_NAMESPACE=supervisor -PINNIPED_TEST_SUPERVISOR_NAMESPACE=default -# export PINNIPED_TEST_PROXY=http://127.0.0.1:12346 -PINNIPED_TEST_PROXY=http://127.0.0.1:12346 - -# from here forward borrowed from ${repo_root}/hack/prepare-supervisor-on-kind.sh - -# NOPE! Not running this script, so we have to pull the env vars ourselves -# however, we can run it against another kind cluster and take a look at it to make sure -# we understand what the contents are -# Read the env vars output by hack/prepare-for-integration-tests.sh -# source /tmp/integration-test-env - -# Choose some filenames. -root_ca_crt_path=root_ca.crt -root_ca_key_path=root_ca.key -tls_crt_path=tls.crt -tls_key_path=tls.key - -# Choose an audience name for the Concierge. -audience="my-workload-cluster-$(openssl rand -hex 4)" - -# These settings align with how the Dex redirect URI is configured by hack/prepare-for-integration-tests.sh. -# Note that this hostname can only be resolved inside the cluster, so we will use a web proxy running inside -# the cluster whenever we want to be able to connect to it. -issuer_host="pinniped-supervisor-clusterip.supervisor.svc.cluster.local" -issuer="https://$issuer_host/some/path" - - -# Create a CA and TLS serving certificates for the Supervisor. -step certificate create \ - "Supervisor CA" "$root_ca_crt_path" "$root_ca_key_path" \ - --profile root-ca \ - --no-password --insecure --force -step certificate create \ - "$issuer_host" "$tls_crt_path" "$tls_key_path" \ - --profile leaf \ - --not-after 8760h \ - --ca "$root_ca_crt_path" --ca-key "$root_ca_key_path" \ - --no-password --insecure --force - -# Put the TLS certificate into a Secret for the Supervisor. -kubectl create secret tls -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" my-federation-domain-tls --cert "$tls_crt_path" --key "$tls_key_path" \ - --dry-run=client --output yaml | kubectl apply -f - - - -# Make a FederationDomain using the TLS Secret from above. -cat </dev/null; then + log_error "Missing dependency..." + log_error "$2" + exit 1 + fi +} + +log_note "log-args.sh 🐳 🐳 🐳" + +# two vars will be received by this script: +# Received: local-user-authenticator +# Received: D00A4537-80F1-4AF2-A3B3-5F20BDBB9AEB +log_note "passed this invocation:" +app=${1} +# tag is fed in from the prepare-for-integration-tests.sh script, just uuidgen to identify a +# specific docker build of the pinniped-server image. +tag=${2} + +registry="pinniped.local" +repo="test/build" +registry_repo="$registry/$repo" + + +if [ "${app}" = "local-user-authenticator" ]; then + log_note "deploy-pachage.sh: local-user-authenticator 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠" + log_note "deploy-pachage.sh: local-user-authenticator 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠" + log_note "deploy-pachage.sh: local-user-authenticator 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠 🐠" + pushd deploy/local-user-authenticator >/dev/null + manifest=/tmp/pinniped-local-user-authenticator.yaml + + ytt --file . \ + --data-value "image_repo=$registry_repo" \ + --data-value "image_tag=$tag" >"$manifest" + + kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest" + kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. + popd >/dev/null +fi + +if [ "${app}" = "pinniped-supervisor" ]; then + log_note "deploy-pachage.sh: supervisor 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡" + log_note "deploy-pachage.sh: supervisor 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡" + log_note "deploy-pachage.sh: supervisor 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡 🐡" +fi + +if [ "${app}" = "pinniped-concierge" ]; then + log_note "deploy-pachage.sh: concierge 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼" + log_note "deploy-pachage.sh: concierge 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼" + log_note "deploy-pachage.sh: concierge 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼 🪼" +fi diff --git a/deploy_carvel/hack/kind-with-registry.sh b/deploy_carvel/hack/kind-with-registry.sh new file mode 100755 index 00000000..96d14d32 --- /dev/null +++ b/deploy_carvel/hack/kind-with-registry.sh @@ -0,0 +1,69 @@ +#!/bin/sh +set -o errexit + +# default name if not provided +# KIND_CLUSTER_NAME=my-kind-of-cluster ./kind-with-registry.sh +KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:=my-kind-cluster}" + +# 1. Create registry container unless it already exists +reg_name='kind-registry' +reg_port='5001' +if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then + docker run \ + -d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \ + registry:2 +fi + +# 2. Create kind cluster with containerd registry config dir enabled +# TODO: kind will eventually enable this by default and this patch will +# be unnecessary. +# +# See: +# https://github.com/kubernetes-sigs/kind/issues/2875 +# https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration +# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md +cat </dev/null; then + log_error "Missing dependency..." + log_error "$2" + exit 1 + fi +} + +# two vars will be received by this script: +# Received: local-user-authenticator +# Received: D00A4537-80F1-4AF2-A3B3-5F20BDBB9AEB +app=${1} +# tag is fed in from the prepare-for-integration-tests.sh script, just uuidgen to identify a +# specific docker build of the pinniped-server image. +tag=${2} +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +log_note "log-args.sh >>> script dir: ${SCRIPT_DIR}" +log_note "log-args.sh >>> app: ${app} tag: ${tag}" + + +# nothing else, this is a test. diff --git a/deploy_carvel/hack/log-args2.sh b/deploy_carvel/hack/log-args2.sh new file mode 100755 index 00000000..8573f33c --- /dev/null +++ b/deploy_carvel/hack/log-args2.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +# +# This script is intended to be used with: +# - $repo_root/hack/prepare-for-integration-test.sh --alternate-deploy $(pwd)/deploy_carvel/hack/log-args.sh +# and originated with the following: +# - https://github.com/jvanzyl/pinniped-charts/blob/main/alternate-deploy-helm +# along with this PR to pinniped: +# - https://github.com/vmware-tanzu/pinniped/pull/1028 +set -euo pipefail + +# +# Helper functions +# +function log_note() { + GREEN='\033[0;32m' + NC='\033[0m' + if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then + echo -e "${GREEN}$*${NC}" + else + echo "$*" + fi +} + +function log_error() { + RED='\033[0;31m' + NC='\033[0m' + if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then + echo -e "🙁${RED} Error: $* ${NC}" + else + echo ":( Error: $*" + fi +} + +function check_dependency() { + if ! command -v "$1" >/dev/null; then + log_error "Missing dependency..." + log_error "$2" + exit 1 + fi +} + +# two vars will be received by this script: +# Received: local-user-authenticator +# Received: D00A4537-80F1-4AF2-A3B3-5F20BDBB9AEB +app=${1} +# tag is fed in from the prepare-for-integration-tests.sh script, just uuidgen to identify a +# specific docker build of the pinniped-server image. +tag=${2} + +log_note "🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄" +log_note "log-args2.sh >>> app: ${app} tag: ${tag} 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄" +log_note "🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄 🦄" diff --git a/deploy_carvel/hack/prepare-alt-deploy-with-package.sh b/deploy_carvel/hack/prepare-alt-deploy-with-package.sh new file mode 100755 index 00000000..3819c404 --- /dev/null +++ b/deploy_carvel/hack/prepare-alt-deploy-with-package.sh @@ -0,0 +1,99 @@ +#!/usr/bin/env bash + +# +# This script is intended to be used with: +# - $repo_root/hack/prepare-for-integration-test.sh --alternate-deploy deploy_carvel/prepare-alt-deploy-with-package.sh +# and originated with the following: +# - https://github.com/jvanzyl/pinniped-charts/blob/main/alternate-deploy-helm +# along with this PR to pinniped: +# - https://github.com/vmware-tanzu/pinniped/pull/1028 +set -euo pipefail + +# +# Helper functions +# +function log_note() { + GREEN='\033[0;32m' + NC='\033[0m' + if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then + echo -e "${GREEN}$*${NC}" + else + echo "$*" + fi +} + +function log_error() { + RED='\033[0;31m' + NC='\033[0m' + if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then + echo -e "🙁${RED} Error: $* ${NC}" + else + echo ":( Error: $*" + fi +} + +function check_dependency() { + if ! command -v "$1" >/dev/null; then + log_error "Missing dependency..." + log_error "$2" + exit 1 + fi +} + +# two vars will be received by this script: +# Received: local-user-authenticator +# Received: D00A4537-80F1-4AF2-A3B3-5F20BDBB9AEB +log_note "passed this invocation:" +app=${1} +# tag is fed in from the prepare-for-integration-tests.sh script, just uuidgen to identify a +# specific docker build of the pinniped-server image. +tag=${2} + +if [ "${app}" = "local-user-authenticator" ]; then + # + # TODO: continue on from here. + # get this to install correctly, exaclty as it did before + # and then do the rest? + # OR TODO: correct the $alternate_deploy issue by creating 3 new flags: + # $alternate_deploy-supervisor + # $alternate_deploy-concierge + # $alternate_deploy-local-user-authenticator + # + # TODO step 1: test to ensure current change did not break the script! + # + log_note "🦄 🦄 🦄 where are we?!?!?" + pwd + log_note "Deploying the local-user-authenticator app to the cluster using kapp..." + ytt --file . \ + --data-value "image_repo=$registry_repo" \ + --data-value "image_tag=$tag" >"$manifest" + + kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest" + kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. +fi + +if [ "${app}" = "pinniped-supervisor" ]; then +# helm upgrade pinniped-supervisor charts/pinniped-supervisor \ +# --install \ +# --values source/pinniped-supervisor/values-lit.yaml \ +# --set image.version=${tag} \ +# --namespace supervisor \ +# --create-namespace \ +# --atomic +# --atomic + log_note "ignoring supervisor, so sad........." +fi + +if [ "${app}" = "pinniped-concierge" ]; then +# discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')" +# helm upgrade pinniped-concierge charts/pinniped-concierge \ +# --install \ +# --values source/pinniped-concierge/values-lit.yaml \ +# --set image.version=${tag} \ +# --set config.discovery.url=${discovery_url} \ +# --set config.logLevel="debug" \ +# --namespace concierge \ +# --create-namespace \ +# --atomic + log_note "ignoring concierge, so sad........." +fi diff --git a/deploy_carvel/temp_actual_deploy_resources/concierge-pkginstall.yml b/deploy_carvel/temp_actual_deploy_resources/concierge-pkginstall.yml new file mode 100644 index 00000000..d471bebf --- /dev/null +++ b/deploy_carvel/temp_actual_deploy_resources/concierge-pkginstall.yml @@ -0,0 +1,28 @@ +--- +apiVersion: packaging.carvel.dev/v1alpha1 +kind: PackageInstall +metadata: + # name, does not have to be versioned, versionSelection.constraints below will handle + name: concierge-install + namespace: concierge-install-ns +spec: + serviceAccountName: "pinniped-package-rbac-concierge-sa-superadmin-dangerous" + packageRef: + refName: "concierge.pinniped.dev" + versionSelection: + constraints: "0.25.0" + values: + - secretRef: + name: "concierge-package-install-secret" +--- +apiVersion: v1 +kind: Secret +metadata: + name: "concierge-package-install-secret" + namespace: concierge-install-ns +stringData: + values.yml: | + --- + namespace: "concierge" + app_name: "concierge" # this affects services and things, needs to be just the resource name to match hack scripts + replicas: 1 # keep logs testing easy diff --git a/deploy_carvel/temp_actual_deploy_resources/pinniped-package-rbac-concierge-concierge-rbac.yml b/deploy_carvel/temp_actual_deploy_resources/pinniped-package-rbac-concierge-concierge-rbac.yml new file mode 100644 index 00000000..f9ac5a5a --- /dev/null +++ b/deploy_carvel/temp_actual_deploy_resources/pinniped-package-rbac-concierge-concierge-rbac.yml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: "concierge-install-ns" +--- +# ServiceAccount details from the file linked above +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous" + namespace: "concierge-install-ns" + # namespace: default # --> sticking to default for everything for now. +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "pinniped-package-rbac-concierge-role-superadmin-dangerous" +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "pinniped-package-rbac-concierge-role-binding-superadmin-dangerous" +subjects: +- kind: ServiceAccount + name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous" + namespace: "concierge-install-ns" + # namespace: default # --> sticking to default for everything for now. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "pinniped-package-rbac-concierge-role-superadmin-dangerous" + diff --git a/deploy_carvel/temp_actual_deploy_resources/pinniped-package-rbac-supervisor-supervisor-rbac.yml b/deploy_carvel/temp_actual_deploy_resources/pinniped-package-rbac-supervisor-supervisor-rbac.yml new file mode 100644 index 00000000..99af8b6c --- /dev/null +++ b/deploy_carvel/temp_actual_deploy_resources/pinniped-package-rbac-supervisor-supervisor-rbac.yml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: "supervisor-install-ns" +--- +# ServiceAccount details from the file linked above +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous" + namespace: "supervisor-install-ns" + # namespace: default # --> sticking to default for everything for now. +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous" +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "pinniped-package-rbac-supervisor-role-binding-superadmin-dangerous" +subjects: +- kind: ServiceAccount + name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous" + namespace: "supervisor-install-ns" + # namespace: default # --> sticking to default for everything for now. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous" + diff --git a/deploy_carvel/temp_actual_deploy_resources/supervisor-pkginstall.yml b/deploy_carvel/temp_actual_deploy_resources/supervisor-pkginstall.yml new file mode 100644 index 00000000..03f4ae14 --- /dev/null +++ b/deploy_carvel/temp_actual_deploy_resources/supervisor-pkginstall.yml @@ -0,0 +1,28 @@ +--- +apiVersion: packaging.carvel.dev/v1alpha1 +kind: PackageInstall +metadata: + # name, does not have to be versioned, versionSelection.constraints below will handle + name: supervisor-install + namespace: supervisor-install-ns +spec: + serviceAccountName: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous" + packageRef: + refName: "supervisor.pinniped.dev" + versionSelection: + constraints: "0.25.0" + values: + - secretRef: + name: "supervisor-package-install-secret" +--- +apiVersion: v1 +kind: Secret +metadata: + name: "supervisor-package-install-secret" + namespace: supervisor-install-ns +stringData: + values.yml: | + --- + namespace: "supervisor" + app_name: "supervisor" # this affects services and things, needs to be just the resource name to match hack scripts + replicas: 1 # keep logs testing easy diff --git a/deploy_carvel/temp_pinniped_config_resources/oidc.gitlab.vmware.yaml b/deploy_carvel/temp_pinniped_config_resources/oidc.gitlab.vmware.yaml new file mode 100644 index 00000000..51b30334 --- /dev/null +++ b/deploy_carvel/temp_pinniped_config_resources/oidc.gitlab.vmware.yaml @@ -0,0 +1,60 @@ +apiVersion: idp.supervisor.pinniped.dev/v1alpha1 +kind: OIDCIdentityProvider +metadata: + # namespace: pinniped-supervisor + namespace: supervisor-ns # for this install this is the namespace that I've ben using. + name: gitlab +spec: + + # Specify the upstream issuer URL. + issuer: https://gitlab.eng.vmware.com + + # Specify how to form authorization requests to GitLab. + authorizationConfig: + + # GitLab is unusual among OIDC providers in that it returns an + # error if you request the "offline_access" scope during an + # authorization flow, so ask Pinniped to avoid requesting that + # scope when using GitLab by excluding it from this list. + # By specifying only "openid" here then Pinniped will only + # request "openid". + additionalScopes: [openid,email] + + # If you would also like to allow your end users to authenticate using + # a password grant, then change this to true. See + # https://docs.gitlab.com/ee/api/oauth2.html#resource-owner-password-credentials-flow + # for more information about using the password grant with GitLab. + allowPasswordGrant: false + + # Specify how GitLab claims are mapped to Kubernetes identities. + claims: + + # Specify the name of the claim in your GitLab token that will be mapped + # to the "username" claim in downstream tokens minted by the Supervisor. + username: email + + # Specify the name of the claim in GitLab that represents the groups + # that the user belongs to. Note that GitLab's "groups" claim comes from + # their "/userinfo" endpoint, not the token. + groups: groups + + # Specify the name of the Kubernetes Secret that contains your GitLab + # application's client credentials (created below). + client: + secretName: gitlab-client-credentials + +--- +apiVersion: v1 +kind: Secret +metadata: + # namespace: pinniped-supervisor + namespace: supervisor-ns # for this install this is the namespace that I've ben using. + name: gitlab-client-credentials +type: secrets.pinniped.dev/oidc-client +stringData: + + # The "Application ID" that you got from GitLab. + clientID: "bbf1c9e13b38642adec54d47a112159549c2de10ae3506086c5af2ff4beb32d6" + + # The "Secret" that you got from GitLab. + clientSecret: "16a92c0fdbba5f87a7ea61d6c64a526b5fb838bf436825c98af95459c7c5eeb8"