From c01a1aed968d1bc1ef7c5cd2f2eaf3815465facf Mon Sep 17 00:00:00 2001 From: "Benjamin A. Petersen" Date: Mon, 25 Sep 2023 12:45:18 -0400 Subject: [PATCH] remove --- .../concierge.deployment.old.yaml | 360 --- .../_dev.SCRATCH/deploy_concierge.sh | 41 - .../_dev.SCRATCH/deploy_supervisor.sh | 66 - .../_dev.SCRATCH/integration-test-env | 89 - .../_dev.SCRATCH/kapp-controller.release.yaml | 2662 ----------------- .../supervisor.deployment.old.yaml | 235 -- 6 files changed, 3453 deletions(-) delete mode 100644 deploy_carvel/_dev.SCRATCH/concierge.deployment.old.yaml delete mode 100755 deploy_carvel/_dev.SCRATCH/deploy_concierge.sh delete mode 100755 deploy_carvel/_dev.SCRATCH/deploy_supervisor.sh delete mode 100644 deploy_carvel/_dev.SCRATCH/integration-test-env delete mode 100644 deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml delete mode 100644 deploy_carvel/_dev.SCRATCH/supervisor.deployment.old.yaml diff --git a/deploy_carvel/_dev.SCRATCH/concierge.deployment.old.yaml b/deploy_carvel/_dev.SCRATCH/concierge.deployment.old.yaml deleted file mode 100644 index bc8397cc..00000000 --- a/deploy_carvel/_dev.SCRATCH/concierge.deployment.old.yaml +++ /dev/null @@ -1,360 +0,0 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -#! SPDX-License-Identifier: Apache-2.0 - -#@ load("@ytt:data", "data") -#@ load("@ytt:json", "json") -#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix") -#@ load("@ytt:template", "template") - -#@ if not data.values.into_namespace: ---- -apiVersion: v1 -kind: Namespace -metadata: - name: #@ data.values.namespace - labels: - _: #@ template.replace(labels()) - #! When deploying onto a cluster which has PSAs enabled by default for namespaces, - #! effectively disable them for this namespace. The kube-cert-agent Deployment's pod - #! created by the Concierge in this namespace needs to be able to perform privileged - #! actions. The regular Concierge pod containers created by the Deployment below do - #! not need special privileges and are marked as such in their securityContext settings. - pod-security.kubernetes.io/enforce: privileged -#@ end ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: #@ defaultResourceName() - namespace: #@ namespace() - labels: #@ labels() ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: #@ defaultResourceNameWithSuffix("kube-cert-agent") - namespace: #@ namespace() - labels: #@ labels() ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: #@ defaultResourceNameWithSuffix("impersonation-proxy") - namespace: #@ namespace() - labels: #@ labels() - annotations: - #! we need to create this service account before we create the secret - kapp.k14s.io/change-group: "impersonation-proxy.concierge.pinniped.dev/serviceaccount" -secrets: #! make sure the token controller does not create any other secrets -- name: #@ defaultResourceNameWithSuffix("impersonation-proxy") ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: #@ defaultResourceNameWithSuffix("config") - namespace: #@ namespace() - labels: #@ labels() -data: - #! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below. - #@yaml/text-templated-strings - pinniped.yaml: | - discovery: - url: (@= data.values.discovery_url or "null" @) - api: - servingCertificate: - durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @) - renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @) - apiGroupSuffix: (@= data.values.api_group_suffix @) - # aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated - # impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated - names: - servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @) - credentialIssuer: (@= defaultResourceNameWithSuffix("config") @) - apiService: (@= defaultResourceNameWithSuffix("api") @) - impersonationLoadBalancerService: (@= defaultResourceNameWithSuffix("impersonation-proxy-load-balancer") @) - impersonationClusterIPService: (@= defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip") @) - impersonationTLSCertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate") @) - impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @) - impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @) - agentServiceAccount: (@= defaultResourceNameWithSuffix("kube-cert-agent") @) - labels: (@= json.encode(labels()).rstrip() @) - kubeCertAgent: - namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @) - (@ if data.values.kube_cert_agent_image: @) - image: (@= data.values.kube_cert_agent_image @) - (@ else: @) - (@ if data.values.image_digest: @) - image: (@= data.values.image_repo + "@" + data.values.image_digest @) - (@ else: @) - image: (@= data.values.image_repo + ":" + data.values.image_tag @) - (@ end @) - (@ end @) - (@ if data.values.image_pull_dockerconfigjson: @) - imagePullSecrets: - - image-pull-secret - (@ end @) - (@ if data.values.log_level or data.values.deprecated_log_format: @) - log: - (@ if data.values.log_level: @) - level: (@= getAndValidateLogLevel() @) - (@ end @) - (@ if data.values.deprecated_log_format: @) - format: (@= data.values.deprecated_log_format @) - (@ end @) - (@ end @) ---- -#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": -apiVersion: v1 -kind: Secret -metadata: - name: image-pull-secret - namespace: #@ namespace() - labels: #@ labels() -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson -#@ end ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: #@ defaultResourceName() - namespace: #@ namespace() - labels: #@ labels() -spec: - replicas: #@ data.values.replicas - selector: - #! In hindsight, this should have been deploymentPodLabel(), but this field is immutable so changing it would break upgrades. - matchLabels: #@ defaultLabel() - template: - metadata: - labels: - #! This has always included defaultLabel(), which is used by this Deployment's selector. - _: #@ template.replace(defaultLabel()) - #! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically - #! without accidentally selecting any other Deployment's Pods, especially the kube cert agent Deployment's Pods. - _: #@ template.replace(deploymentPodLabel()) - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: - securityContext: - runAsUser: #@ data.values.run_as_user - runAsGroup: #@ data.values.run_as_group - serviceAccountName: #@ defaultResourceName() - #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": - imagePullSecrets: - - name: image-pull-secret - #@ end - containers: - - name: #@ defaultResourceName() - #@ if data.values.image_digest: - image: #@ data.values.image_repo + "@" + data.values.image_digest - #@ else: - image: #@ data.values.image_repo + ":" + data.values.image_tag - #@ end - imagePullPolicy: IfNotPresent - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: [ "ALL" ] - #! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a - #! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's - #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error. - seccompProfile: - type: "RuntimeDefault" - resources: - requests: - cpu: "100m" - memory: "128Mi" - limits: - cpu: "100m" - memory: "128Mi" - command: - - pinniped-concierge - - --config=/etc/config/pinniped.yaml - - --downward-api-path=/etc/podinfo - volumeMounts: - - name: tmp - mountPath: /tmp - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: podinfo - mountPath: /etc/podinfo - readOnly: true - - name: impersonation-proxy - mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount - readOnly: true - env: - #@ if data.values.https_proxy: - - name: HTTPS_PROXY - value: #@ data.values.https_proxy - #@ end - #@ if data.values.https_proxy and data.values.no_proxy: - - name: NO_PROXY - value: #@ data.values.no_proxy - #@ end - livenessProbe: - httpGet: - path: /healthz - port: 10250 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 15 - periodSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: 10250 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 3 - volumes: - - name: tmp - emptyDir: - medium: Memory - sizeLimit: 100Mi - - name: config-volume - configMap: - name: #@ defaultResourceNameWithSuffix("config") - - name: impersonation-proxy - secret: - secretName: #@ defaultResourceNameWithSuffix("impersonation-proxy") - items: #! make sure our pod does not start until the token controller has a chance to populate the secret - - key: token - path: token - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "name" - fieldRef: - fieldPath: metadata.name - - path: "namespace" - fieldRef: - fieldPath: metadata.namespace - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master #! Allow running on master nodes too (name deprecated by kubernetes 1.20). - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane #! The new name for these nodes as of Kubernetes 1.24. - effect: NoSchedule - #! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17, - #! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596). - #!priorityClassName: system-cluster-critical - #! This will help make sure our multiple pods run on different nodes, making - #! our deployment "more" "HA". - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 50 - podAffinityTerm: - labelSelector: - matchLabels: #@ deploymentPodLabel() - topologyKey: kubernetes.io/hostname ---- -apiVersion: v1 -kind: Service -metadata: - #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below. - name: #@ defaultResourceNameWithSuffix("api") - namespace: #@ namespace() - labels: #@ labels() - #! prevent kapp from altering the selector of our services to match kubectl behavior - annotations: - kapp.k14s.io/disable-default-label-scoping-rules: "" -spec: - type: ClusterIP - selector: #@ deploymentPodLabel() - ports: - - protocol: TCP - port: 443 - targetPort: 10250 ---- -apiVersion: v1 -kind: Service -metadata: - name: #@ defaultResourceNameWithSuffix("proxy") - namespace: #@ namespace() - labels: #@ labels() - #! prevent kapp from altering the selector of our services to match kubectl behavior - annotations: - kapp.k14s.io/disable-default-label-scoping-rules: "" -spec: - type: ClusterIP - selector: #@ deploymentPodLabel() - ports: - - protocol: TCP - port: 443 - targetPort: 8444 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.login.concierge") - labels: #@ labels() -spec: - version: v1alpha1 - group: #@ pinnipedDevAPIGroupWithPrefix("login.concierge") - groupPriorityMinimum: 9900 - versionPriority: 15 - #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. - service: - name: #@ defaultResourceNameWithSuffix("api") - namespace: #@ namespace() - port: 443 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.identity.concierge") - labels: #@ labels() -spec: - version: v1alpha1 - group: #@ pinnipedDevAPIGroupWithPrefix("identity.concierge") - groupPriorityMinimum: 9900 - versionPriority: 15 - #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. - service: - name: #@ defaultResourceNameWithSuffix("api") - namespace: #@ namespace() - port: 443 ---- -apiVersion: #@ pinnipedDevAPIGroupWithPrefix("config.concierge") + "/v1alpha1" -kind: CredentialIssuer -metadata: - name: #@ defaultResourceNameWithSuffix("config") - labels: #@ labels() -spec: - impersonationProxy: - mode: #@ data.values.impersonation_proxy_spec.mode - #@ if data.values.impersonation_proxy_spec.external_endpoint: - externalEndpoint: #@ data.values.impersonation_proxy_spec.external_endpoint - #@ end - service: - type: #@ data.values.impersonation_proxy_spec.service.type - #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip: - loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip - #@ end - annotations: #@ data.values.impersonation_proxy_spec.service.annotations ---- -apiVersion: v1 -kind: Secret -metadata: - name: #@ defaultResourceNameWithSuffix("impersonation-proxy") - namespace: #@ namespace() - labels: #@ labels() - annotations: - #! wait until the SA exists to create this secret so that the token controller does not delete it - #! we have this secret at the end so that kubectl will create the service account first - kapp.k14s.io/change-rule: "upsert after upserting impersonation-proxy.concierge.pinniped.dev/serviceaccount" - kubernetes.io/service-account.name: #@ defaultResourceNameWithSuffix("impersonation-proxy") -type: kubernetes.io/service-account-token diff --git a/deploy_carvel/_dev.SCRATCH/deploy_concierge.sh b/deploy_carvel/_dev.SCRATCH/deploy_concierge.sh deleted file mode 100755 index 12d5cf9b..00000000 --- a/deploy_carvel/_dev.SCRATCH/deploy_concierge.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash - - -APP="pinn-conci" - -kapp deploy --app "${APP}" --diff-changes --file <(ytt \ - --file concierge/config/authentication.concierge.pinniped.dev_jwtauthenticators.yaml - --file concierge/config/authentication.concierge.pinniped.dev_webhookauthenticcators.yaml - --file concierge/config/config.concierge.pinniped.dev_credential_issuers.yaml - --file concierge/config/deployment-HACKED.yaml \ - --file concierge/config/helpers.lib.yaml \ - --file concierge/config/rbac.yaml \ - --file concierge/config/z0_crd_overlay.yaml \ - --file concierge/config/values.yaml \ - --data-value app_name=pinn-conci \ - --data-value namespace=pinn-conci \ - --data-value-yaml 'custom_labels={"foo": bar}' \ - --data-value replicas=3) - - -## template the thing -#RENDER_OUTPUT_FILE=$( -#ytt \ -# --file concierge/config/helpers.lib.yaml \ -# --file concierge/config/deployment.yaml \ -# --file concierge/config/service.yaml \ -# --file concierge/config/values.yaml \ -# --data-value app_name=pinn-super \ -# --data-value namespace=pinn-super \ -# --data-value-yaml 'custom_labels={"foo": bar}' \ -# --data-value replicas=3 -#) -# -## view it -#echo "$RENDER_OUTPUT_FILE" -# -## give it to kapp -#kapp deploy \ -# --app pinn-super \ -# --diff-changes \ -# --file <( "${RENDER_OUTPUT_FILE}" ) diff --git a/deploy_carvel/_dev.SCRATCH/deploy_supervisor.sh b/deploy_carvel/_dev.SCRATCH/deploy_supervisor.sh deleted file mode 100755 index fd3915e5..00000000 --- a/deploy_carvel/_dev.SCRATCH/deploy_supervisor.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# need to maintain this if used. -# but there must be a way to get ytt to read a directory of files. -#RENDERED_OUTPUT_FILES=$( -#ytt \ -# --file supervisor/config/helpers.lib.yaml \ -# --file supervisor/config/config.supervisor.pinniped.dev_federationdomains.yaml \ -# --file supervisor/config/config.supervisor.pinniped.dev_oidcclients.yaml \ -# --file supervisor/config/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml \ -# --file supervisor/config/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml \ -# --file supervisor/config/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml \ -# --file supervisor/config/z0_crd_overlay.yaml \ -# --file supervisor/config/rbac.yaml \ -# --file supervisor/config/service.yaml \ -# --file supervisor/config/deployment.yaml \ -# --file supervisor/config/values.yaml \ -# --data-value app_name=pinn-super \ -# --data-value namespace=pinn-super \ -# --data-value-yaml 'custom_labels={"foo": bar}' \ -# --data-value replicas=3 -#) -# -#echo "${RENDERED_OUTPUT_FILES}" - -APP="pinn-super" - -kapp deploy --app "${APP}" --diff-changes --file <(ytt \ - --file supervisor/config/helpers.lib.yaml \ - --file supervisor/config/config.supervisor.pinniped.dev_federationdomains.yaml \ - --file supervisor/config/config.supervisor.pinniped.dev_oidcclients.yaml \ - --file supervisor/config/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml \ - --file supervisor/config/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml \ - --file supervisor/config/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml \ - --file supervisor/config/z0_crd_overlay.yaml \ - --file supervisor/config/rbac.yaml \ - --file supervisor/config/service.yaml \ - --file supervisor/config/deployment-HACKED.yaml \ - --file supervisor/config/values.yaml \ - --data-value app_name=pinn-super \ - --data-value namespace=pinn-super \ - --data-value-yaml 'custom_labels={"foo": bar}' \ - --data-value replicas=3) - - -## template the thing -#RENDER_OUTPUT_FILE=$( -#ytt \ -# --file supervisor/config/helpers.lib.yaml \ -# --file supervisor/config/deployment.yaml \ -# --file supervisor/config/service.yaml \ -# --file supervisor/config/values.yaml \ -# --data-value app_name=pinn-super \ -# --data-value namespace=pinn-super \ -# --data-value-yaml 'custom_labels={"foo": bar}' \ -# --data-value replicas=3 -#) -# -## view it -#echo "$RENDER_OUTPUT_FILE" -# -## give it to kapp -#kapp deploy \ -# --app pinn-super \ -# --diff-changes \ -# --file <( "${RENDER_OUTPUT_FILE}" ) diff --git a/deploy_carvel/_dev.SCRATCH/integration-test-env b/deploy_carvel/_dev.SCRATCH/integration-test-env deleted file mode 100644 index e75e1055..00000000 --- a/deploy_carvel/_dev.SCRATCH/integration-test-env +++ /dev/null @@ -1,89 +0,0 @@ -# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration' -export PINNIPED_TEST_TOOLS_NAMESPACE="tools" -export PINNIPED_TEST_CONCIERGE_NAMESPACE=concierge -export PINNIPED_TEST_CONCIERGE_APP_NAME=pinniped-concierge -export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='{myConciergeCustomLabelName: myConciergeCustomLabelValue}' -export PINNIPED_TEST_USER_USERNAME=test-username -export PINNIPED_TEST_USER_GROUPS=test-group-0,test-group-1 -export PINNIPED_TEST_USER_TOKEN=test-username:bf1dc425a45f9ee37ccf6f35931a3609 -export PINNIPED_TEST_WEBHOOK_ENDPOINT=https://local-user-authenticator.local-user-authenticator.svc/authenticate -export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJyRENDQVZPZ0F3SUJBZ0lRZlR6OG9EQlpuQVJvaTdCS1AySmtYVEFLQmdncWhrak9QUVFEQWpBbU1TUXcKSWdZRFZRUURFeHRzYjJOaGJDMTFjMlZ5TFdGMWRHaGxiblJwWTJGMGIzSWdRMEV3SUJjTk1qTXdPREk1TVRrdwpNekEyV2hnUE1qRXlNekE0TURVeE9UQTRNRFphTUNZeEpEQWlCZ05WQkFNVEcyeHZZMkZzTFhWelpYSXRZWFYwCmFHVnVkR2xqWVhSdmNpQkRRVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCS0UxN3NwNW8zdTkKK0dKQlFtbHBuay9sU3pTVWdQUHUvY0ltQnpqWFNPMXBrcGMwcU9BRndjRVZxYlg5V05LdFFBMXplOVA5TXBOdgpMKzdJNnNpN0xmMmpZVEJmTUE0R0ExVWREd0VCL3dRRUF3SUNoREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNECkFnWUlLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVlRjR0bDZRT24yd3kKSUVPcm00WVFOWWtVOU0wd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ0cvQTluQisyUVpDME82aStmWFhGRm1XYQpQWXMyanNxbU5lbVBBMkdDNVZzQ0lFN2w1L1lNSE8xUHdYQWlwYXRaYjkwUDhaZ2pFc0x0Qi9lb3BLQlpBT0VSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K -export PINNIPED_TEST_SUPERVISOR_NAMESPACE=supervisor -export PINNIPED_TEST_SUPERVISOR_APP_NAME=pinniped-supervisor -export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}' -export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344" -export PINNIPED_TEST_PROXY=http://127.0.0.1:12346 -export PINNIPED_TEST_LDAP_HOST=ldap.tools.svc.cluster.local -export PINNIPED_TEST_LDAP_STARTTLS_ONLY_HOST=ldapstarttls.tools.svc.cluster.local -export PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjekNDQVJxZ0F3SUJBZ0lVUmE4OENCQWhwbnpNVmt3bmJtQnJ2RXZQdzdVd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTRNamt4T1RBME1EQmFGdzB5T0RBNApNamN4T1RBME1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVN1cWVzRStZM1RwWER1c0lKSUFkUHVQU3N5Q3BzUGVUM3BhYnZHdTIwRlpNYXEKTWZLejJrZFlqenhKNlN4b2lTM3dmSkFwc0VRRU9MV1NTaG51QmlrdG8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVam5Ua3dPc1NhbHVHOXZlcnBtc0VWVGRLCjZZd3dDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdkeTNUcFA3WUFXaVdaaWV6WFBBVVhLOWNIWDJmUW9GVndFZGIKaGhDSDRib0NJR2trNTg5VzZIcHRUMHFVR0sreG9YbzkzeXA4NDBCcXNHMEtoeW5GV29JTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" -export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME="cn=admin,dc=pinniped,dc=dev" -export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD=password -export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE="ou=users,dc=pinniped,dc=dev" -export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE="ou=groups,dc=pinniped,dc=dev" -export PINNIPED_TEST_LDAP_USER_DN="cn=pinny,ou=users,dc=pinniped,dc=dev" -export PINNIPED_TEST_LDAP_USER_CN="pinny" -export PINNIPED_TEST_LDAP_USER_PASSWORD=342db8a6d3416ecc99a735f7d00db93d -export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME="uidNumber" -export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE="1000" -export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME="mail" -export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_VALUE="pinny.ldap@example.com" -export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_DN="cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev;cn=seals,ou=groups,dc=pinniped,dc=dev" -export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_DN="cn=pinnipeds,ou=groups,dc=pinniped,dc=dev;cn=mammals,ou=groups,dc=pinniped,dc=dev" -export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_CN="ball-game-players;seals" -export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN="ball-game-players-posix;seals-posix" -export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_CN="pinnipeds;mammals" -export PINNIPED_TEST_CLI_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex -export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjekNDQVJxZ0F3SUJBZ0lVUmE4OENCQWhwbnpNVmt3bmJtQnJ2RXZQdzdVd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTRNamt4T1RBME1EQmFGdzB5T0RBNApNamN4T1RBME1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVN1cWVzRStZM1RwWER1c0lKSUFkUHVQU3N5Q3BzUGVUM3BhYnZHdTIwRlpNYXEKTWZLejJrZFlqenhKNlN4b2lTM3dmSkFwc0VRRU9MV1NTaG51QmlrdG8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVam5Ua3dPc1NhbHVHOXZlcnBtc0VWVGRLCjZZd3dDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdkeTNUcFA3WUFXaVdaaWV6WFBBVVhLOWNIWDJmUW9GVndFZGIKaGhDSDRib0NJR2trNTg5VzZIcHRUMHFVR0sreG9YbzkzeXA4NDBCcXNHMEtoeW5GV29JTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" -export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli -export PINNIPED_TEST_CLI_OIDC_CALLBACK_URL=http://127.0.0.1:48095/callback -export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com -export PINNIPED_TEST_CLI_OIDC_PASSWORD=9306dcb43f0f8d0ccbad3d431c05940d -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjekNDQVJxZ0F3SUJBZ0lVUmE4OENCQWhwbnpNVmt3bmJtQnJ2RXZQdzdVd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTRNamt4T1RBME1EQmFGdzB5T0RBNApNamN4T1RBME1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVN1cWVzRStZM1RwWER1c0lKSUFkUHVQU3N5Q3BzUGVUM3BhYnZHdTIwRlpNYXEKTWZLejJrZFlqenhKNlN4b2lTM3dmSkFwc0VRRU9MV1NTaG51QmlrdG8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVam5Ua3dPc1NhbHVHOXZlcnBtc0VWVGRLCjZZd3dDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdkeTNUcFA3WUFXaVdaaWV6WFBBVVhLOWNIWDJmUW9GVndFZGIKaGhDSDRib0NJR2trNTg5VzZIcHRUMHFVR0sreG9YbzkzeXA4NDBCcXNHMEtoeW5GV29JTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES="offline_access,email" -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM=email -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM=groups -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_ID=pinniped-supervisor -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_SECRET=pinniped-supervisor-secret -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL=https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME=pinny@example.com -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=9306dcb43f0f8d0ccbad3d431c05940d -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS= # Dex's local user store does not let us configure groups. -export PINNIPED_TEST_API_GROUP_SUFFIX='pinniped.dev' -# PINNIPED_TEST_SHELL_CONTAINER_IMAGE should be a container which includes bash and sleep, used by some tests. -export PINNIPED_TEST_SHELL_CONTAINER_IMAGE="ghcr.io/pinniped-ci-bot/test-kubectl:latest" - -# We can't set up an in-cluster active directory instance, but -# if you have an active directory instance that you wish to run the tests against, -# specify a script to set the ad-related environment variables. -# You will need to set the environment variables that start with "PINNIPED_TEST_AD_" -# found in pinniped/test/testlib/env.go. -if [[ "" != "" ]]; then - source -fi - -read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true -# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 - -# The name of the cluster type. -kubernetesDistribution: Kind - -# Describe the capabilities of the cluster against which the integration tests will run. -capabilities: - - # Is it possible to borrow the cluster's signing key from the kube API server? - clusterSigningKeyIsAvailable: true - - # Will the cluster successfully provision a load balancer if requested? - hasExternalLoadBalancerProvider: false - - # Does the cluster allow requests without authentication? - # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests - anonymousAuthenticationSupported: true - - # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies? - canReachInternetLDAPPorts: true -PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF - -export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML diff --git a/deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml b/deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml deleted file mode 100644 index ce305a12..00000000 --- a/deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml +++ /dev/null @@ -1,2662 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: kapp-controller ---- -apiVersion: v1 -kind: Namespace -metadata: - name: kapp-controller-packaging-global ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.data.packaging.carvel.dev -spec: - group: data.packaging.carvel.dev - groupPriorityMinimum: 100 - service: - name: packaging-api - namespace: kapp-controller - version: v1alpha1 - versionPriority: 100 ---- -apiVersion: v1 -kind: Service -metadata: - name: packaging-api - namespace: kapp-controller -spec: - ports: - - port: 443 - protocol: TCP - targetPort: api - selector: - app: kapp-controller ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: internalpackagemetadatas.internal.packaging.carvel.dev -spec: - group: internal.packaging.carvel.dev - names: - kind: InternalPackageMetadata - listKind: InternalPackageMetadataList - plural: internalpackagemetadatas - singular: internalpackagemetadata - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - categories: - description: Classifiers of the package (optional; Array of strings) - items: - type: string - type: array - displayName: - description: Human friendly name of the package (optional; string) - type: string - iconSVGBase64: - description: Base64 encoded icon (optional; string) - type: string - longDescription: - description: Long description of the package (optional; string) - type: string - maintainers: - description: List of maintainer info for the package. Currently only - supports the name key. (optional; array of maintner info) - items: - properties: - name: - type: string - type: object - type: array - providerName: - description: Name of the entity distributing the package (optional; - string) - type: string - shortDescription: - description: Short desription of the package (optional; string) - type: string - supportDescription: - description: Description of the support available for the package - (optional; string) - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: internalpackages.internal.packaging.carvel.dev -spec: - group: internal.packaging.carvel.dev - names: - kind: InternalPackage - listKind: InternalPackageList - plural: internalpackages - singular: internalpackage - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - capacityRequirementsDescription: - description: 'System requirements needed to install the package. Note: - these requirements will not be verified by kapp-controller on installation. - (optional; string)' - type: string - includedSoftware: - description: IncludedSoftware can be used to show the software contents - of a Package. This is especially useful if the underlying versions - do not match the Package version - items: - description: IncludedSoftware contains the underlying Software Contents - of a Package - properties: - description: - type: string - displayName: - type: string - version: - type: string - type: object - type: array - kappControllerVersionSelection: - description: KappControllerVersionSelection specifies the versions - of kapp-controller which can install this package - properties: - constraints: - type: string - type: object - kubernetesVersionSelection: - description: KubernetesVersionSelection specifies the versions of - k8s which this package can be installed on - properties: - constraints: - type: string - type: object - licenses: - description: Description of the licenses that apply to the package - software (optional; Array of strings) - items: - type: string - type: array - refName: - description: The name of the PackageMetadata associated with this - version Must be a valid PackageMetadata name (see PackageMetadata - CR for details) Cannot be empty - type: string - releaseNotes: - description: Version release notes (optional; string) - type: string - releasedAt: - description: Timestamp of release (iso8601 formatted string; optional) - format: date-time - nullable: true - type: string - template: - properties: - spec: - properties: - canceled: - description: Cancels current and future reconciliations (optional; - default=false) - type: boolean - cluster: - description: Specifies that app should be deployed to destination - cluster; by default, cluster is same as where this resource - resides (optional; v0.5.0+) - properties: - kubeconfigSecretRef: - description: Specifies secret containing kubeconfig (required) - properties: - key: - description: Specifies key that contains kubeconfig - (optional) - type: string - name: - description: Specifies secret name within app's namespace - (required) - type: string - type: object - namespace: - description: Specifies namespace in destination cluster - (optional) - type: string - type: object - deploy: - items: - properties: - kapp: - description: Use kapp to deploy resources - properties: - delete: - description: Configuration for delete command (optional) - properties: - rawOptions: - description: Pass through options to kapp delete - (optional) - items: - type: string - type: array - type: object - inspect: - description: 'Configuration for inspect command - (optional) as of kapp-controller v0.31.0, inspect - is disabled by default add rawOptions or use an - empty inspect config like `inspect: {}` to enable' - properties: - rawOptions: - description: Pass through options to kapp inspect - (optional) - items: - type: string - type: array - type: object - intoNs: - description: Override namespace for all resources - (optional) - type: string - mapNs: - description: Provide custom namespace override mapping - (optional) - items: - type: string - type: array - rawOptions: - description: Pass through options to kapp deploy - (optional) - items: - type: string - type: array - type: object - type: object - type: array - fetch: - items: - properties: - git: - description: Uses git to clone repository - properties: - lfsSkipSmudge: - description: Skip lfs download (optional) - type: boolean - ref: - description: Branch, tag, commit; origin is the - name of the remote (optional) - type: string - refSelection: - description: Specifies a strategy to resolve to - an explicit ref (optional; v0.24.0+) - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - secretRef: - description: 'Secret with auth details. allowed - keys: ssh-privatekey, ssh-knownhosts, username, - password (optional) (if ssh-knownhosts is not - specified, git will not perform strict host checking)' - properties: - name: - description: Object is expected to be within - same namespace - type: string - type: object - subPath: - description: Grab only portion of repository (optional) - type: string - url: - description: http or ssh urls are supported (required) - type: string - type: object - helmChart: - description: Uses helm fetch to fetch specified chart - properties: - name: - description: 'Example: stable/redis' - type: string - repository: - properties: - secretRef: - properties: - name: - description: Object is expected to be within - same namespace - type: string - type: object - url: - description: Repository url; scheme of oci:// - will fetch experimental helm oci chart (v0.19.0+) - (required) - type: string - type: object - version: - type: string - type: object - http: - description: Uses http library to fetch file - properties: - secretRef: - description: 'Secret to provide auth details (optional) - Secret may include one or more keys: username, - password' - properties: - name: - description: Object is expected to be within - same namespace - type: string - type: object - sha256: - description: Checksum to verify after download (optional) - type: string - subPath: - description: Grab only portion of download (optional) - type: string - url: - description: 'URL can point to one of following - formats: text, tgz, zip http and https url are - supported; plain file, tgz and tar types are supported - (required)' - type: string - type: object - image: - description: Pulls content from Docker/OCI registry - properties: - secretRef: - description: 'Secret may include one or more keys: - username, password, token. By default anonymous - access is used for authentication.' - properties: - name: - description: Object is expected to be within - same namespace - type: string - type: object - subPath: - description: Grab only portion of image (optional) - type: string - tagSelection: - description: Specifies a strategy to choose a tag - (optional; v0.24.0+) if specified, do not include - a tag in url key - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - url: - description: 'Docker image url; unqualified, tagged, - or digest references supported (required) Example: - username/app1-config:v0.1.0' - type: string - type: object - imgpkgBundle: - description: Pulls imgpkg bundle from Docker/OCI registry - (v0.17.0+) - properties: - image: - description: Docker image url; unqualified, tagged, - or digest references supported (required) - type: string - secretRef: - description: 'Secret may include one or more keys: - username, password, token. By default anonymous - access is used for authentication.' - properties: - name: - description: Object is expected to be within - same namespace - type: string - type: object - tagSelection: - description: Specifies a strategy to choose a tag - (optional; v0.24.0+) if specified, do not include - a tag in url key - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - type: object - inline: - description: Pulls content from within this resource; - or other resources in the cluster - properties: - paths: - additionalProperties: - type: string - description: Specifies mapping of paths to their - content; not recommended for sensitive values - as CR is not encrypted (optional) - type: object - pathsFrom: - description: Specifies content via secrets and config - maps; data values are recommended to be placed - in secrets (optional) - items: - properties: - configMapRef: - properties: - directoryPath: - description: Specifies where to place - files found in secret (optional) - type: string - name: - type: string - type: object - secretRef: - properties: - directoryPath: - description: Specifies where to place - files found in secret (optional) - type: string - name: - type: string - type: object - type: object - type: array - type: object - path: - description: Relative path to place the fetched artifacts - type: string - type: object - type: array - noopDelete: - description: Deletion requests for the App will result in - the App CR being deleted, but its associated resources will - not be deleted (optional; default=false; v0.18.0+) - type: boolean - paused: - description: Pauses _future_ reconciliation; does _not_ affect - currently running reconciliation (optional; default=false) - type: boolean - serviceAccountName: - description: Specifies that app should be deployed authenticated - via given service account, found in this namespace (optional; - v0.6.0+) - type: string - syncPeriod: - description: Specifies the length of time to wait, in time - + unit format, before reconciling. Always >= 30s. If value - below 30s is specified, 30s will be used. (optional; v0.9.0+; - default=30s) - type: string - template: - items: - properties: - cue: - properties: - inputExpression: - description: Cue expression for single path component, - can be used to unify ValuesFrom into a given field - (optional) - type: string - outputExpression: - description: Cue expression to output, default will - export all visible fields (optional) - type: string - paths: - description: Explicit list of files/directories - (optional) - items: - type: string - type: array - valuesFrom: - description: Provide values (optional) - items: - properties: - configMapRef: - properties: - name: - type: string - type: object - downwardAPI: - properties: - items: - items: - properties: - fieldPath: - description: 'Required: Selects - a field of the app: only annotations, - labels, uid, name and namespace - are supported.' - type: string - kappControllerVersion: - description: 'Optional: Get running - KappController version, defaults - (empty) to retrieving the current - running version.. Can be manually - supplied instead.' - properties: - version: - type: string - type: object - kubernetesAPIs: - description: 'Optional: Get running - KubernetesAPIs from cluster, defaults - (empty) to retrieving the APIs - from the cluster. Can be manually - supplied instead, e.g ["group/version", - "group2/version2"]' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get running - Kubernetes version from cluster, - defaults (empty) to retrieving - the version from the cluster. - Can be manually supplied instead.' - properties: - version: - type: string - type: object - name: - type: string - type: object - type: array - type: object - path: - type: string - secretRef: - properties: - name: - type: string - type: object - type: object - type: array - type: object - helmTemplate: - description: Use helm template command to render helm - chart - properties: - kubernetesAPIs: - description: 'Optional: Use kubernetes group/versions - resources available in the live cluster' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get Kubernetes version, - defaults (empty) to retrieving the version from - the cluster. Can be manually overridden to a value - instead.' - properties: - version: - type: string - type: object - name: - description: Set name explicitly, default is App - CR's name (optional; v0.13.0+) - type: string - namespace: - description: Set namespace explicitly, default is - App CR's namespace (optional; v0.13.0+) - type: string - path: - description: Path to chart (optional; v0.13.0+) - type: string - valuesFrom: - description: One or more secrets, config maps, paths - that provide values (optional) - items: - properties: - configMapRef: - properties: - name: - type: string - type: object - downwardAPI: - properties: - items: - items: - properties: - fieldPath: - description: 'Required: Selects - a field of the app: only annotations, - labels, uid, name and namespace - are supported.' - type: string - kappControllerVersion: - description: 'Optional: Get running - KappController version, defaults - (empty) to retrieving the current - running version.. Can be manually - supplied instead.' - properties: - version: - type: string - type: object - kubernetesAPIs: - description: 'Optional: Get running - KubernetesAPIs from cluster, defaults - (empty) to retrieving the APIs - from the cluster. Can be manually - supplied instead, e.g ["group/version", - "group2/version2"]' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get running - Kubernetes version from cluster, - defaults (empty) to retrieving - the version from the cluster. - Can be manually supplied instead.' - properties: - version: - type: string - type: object - name: - type: string - type: object - type: array - type: object - path: - type: string - secretRef: - properties: - name: - type: string - type: object - type: object - type: array - type: object - jsonnet: - description: TODO implement jsonnet - type: object - kbld: - description: Use kbld to resolve image references to - use digests - properties: - paths: - items: - type: string - type: array - type: object - kustomize: - description: TODO implement kustomize - type: object - sops: - description: Use sops to decrypt *.sops.yml files (optional; - v0.11.0+) - properties: - age: - properties: - privateKeysSecretRef: - description: Secret with private armored PGP - private keys (required) - properties: - name: - type: string - type: object - type: object - paths: - description: Lists paths to decrypt explicitly (optional; - v0.13.0+) - items: - type: string - type: array - pgp: - description: Use PGP to decrypt files (required) - properties: - privateKeysSecretRef: - description: Secret with private armored PGP - private keys (required) - properties: - name: - type: string - type: object - type: object - type: object - ytt: - description: Use ytt to template configuration - properties: - fileMarks: - description: Control metadata about input files - passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ - for more details - items: - type: string - type: array - ignoreUnknownComments: - description: Ignores comments that ytt doesn't recognize - (optional; default=false) - type: boolean - inline: - description: Specify additional files, including - data values (optional) - properties: - paths: - additionalProperties: - type: string - description: Specifies mapping of paths to their - content; not recommended for sensitive values - as CR is not encrypted (optional) - type: object - pathsFrom: - description: Specifies content via secrets and - config maps; data values are recommended to - be placed in secrets (optional) - items: - properties: - configMapRef: - properties: - directoryPath: - description: Specifies where to place - files found in secret (optional) - type: string - name: - type: string - type: object - secretRef: - properties: - directoryPath: - description: Specifies where to place - files found in secret (optional) - type: string - name: - type: string - type: object - type: object - type: array - type: object - paths: - description: Lists paths to provide to ytt explicitly - (optional) - items: - type: string - type: array - strict: - description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md - (optional; default=false) - type: boolean - valuesFrom: - description: Provide values via ytt's --data-values-file - (optional; v0.19.0-alpha.9) - items: - properties: - configMapRef: - properties: - name: - type: string - type: object - downwardAPI: - properties: - items: - items: - properties: - fieldPath: - description: 'Required: Selects - a field of the app: only annotations, - labels, uid, name and namespace - are supported.' - type: string - kappControllerVersion: - description: 'Optional: Get running - KappController version, defaults - (empty) to retrieving the current - running version.. Can be manually - supplied instead.' - properties: - version: - type: string - type: object - kubernetesAPIs: - description: 'Optional: Get running - KubernetesAPIs from cluster, defaults - (empty) to retrieving the APIs - from the cluster. Can be manually - supplied instead, e.g ["group/version", - "group2/version2"]' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get running - Kubernetes version from cluster, - defaults (empty) to retrieving - the version from the cluster. - Can be manually supplied instead.' - properties: - version: - type: string - type: object - name: - type: string - type: object - type: array - type: object - path: - type: string - secretRef: - properties: - name: - type: string - type: object - type: object - type: array - type: object - type: object - type: array - type: object - required: - - spec - type: object - valuesSchema: - description: valuesSchema can be used to show template values that - can be configured by users when a Package is installed in an OpenAPI - schema format. - properties: - openAPIv3: - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - version: - description: Package version; Referenced by PackageInstall; Must be - valid semver (required) Cannot be empty - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apps.kappctrl.k14s.io -spec: - group: kappctrl.k14s.io - names: - categories: - - carvel - kind: App - listKind: AppList - plural: apps - singular: app - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Friendly description - jsonPath: .status.friendlyDescription - name: Description - type: string - - description: Last time app started being deployed. Does not mean anything was - changed. - jsonPath: .status.deploy.startedAt - name: Since-Deploy - type: date - - description: Time since creation - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: 'An App is a set of Kubernetes resources. These resources could - span any number of namespaces or could be cluster-wide (e.g. CRDs). An App - is represented in kapp-controller using a App CR. The App CR comprises of - three main sections: spec.fetch – declare source for fetching configuration - and OCI images spec.template – declare templating tool and values spec.deploy - – declare deployment tool and any deploy specific configuration' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - canceled: - description: Cancels current and future reconciliations (optional; - default=false) - type: boolean - cluster: - description: Specifies that app should be deployed to destination - cluster; by default, cluster is same as where this resource resides - (optional; v0.5.0+) - properties: - kubeconfigSecretRef: - description: Specifies secret containing kubeconfig (required) - properties: - key: - description: Specifies key that contains kubeconfig (optional) - type: string - name: - description: Specifies secret name within app's namespace - (required) - type: string - type: object - namespace: - description: Specifies namespace in destination cluster (optional) - type: string - type: object - deploy: - items: - properties: - kapp: - description: Use kapp to deploy resources - properties: - delete: - description: Configuration for delete command (optional) - properties: - rawOptions: - description: Pass through options to kapp delete (optional) - items: - type: string - type: array - type: object - inspect: - description: 'Configuration for inspect command (optional) - as of kapp-controller v0.31.0, inspect is disabled by - default add rawOptions or use an empty inspect config - like `inspect: {}` to enable' - properties: - rawOptions: - description: Pass through options to kapp inspect (optional) - items: - type: string - type: array - type: object - intoNs: - description: Override namespace for all resources (optional) - type: string - mapNs: - description: Provide custom namespace override mapping (optional) - items: - type: string - type: array - rawOptions: - description: Pass through options to kapp deploy (optional) - items: - type: string - type: array - type: object - type: object - type: array - fetch: - items: - properties: - git: - description: Uses git to clone repository - properties: - lfsSkipSmudge: - description: Skip lfs download (optional) - type: boolean - ref: - description: Branch, tag, commit; origin is the name of - the remote (optional) - type: string - refSelection: - description: Specifies a strategy to resolve to an explicit - ref (optional; v0.24.0+) - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - secretRef: - description: 'Secret with auth details. allowed keys: ssh-privatekey, - ssh-knownhosts, username, password (optional) (if ssh-knownhosts - is not specified, git will not perform strict host checking)' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - subPath: - description: Grab only portion of repository (optional) - type: string - url: - description: http or ssh urls are supported (required) - type: string - type: object - helmChart: - description: Uses helm fetch to fetch specified chart - properties: - name: - description: 'Example: stable/redis' - type: string - repository: - properties: - secretRef: - properties: - name: - description: Object is expected to be within same - namespace - type: string - type: object - url: - description: Repository url; scheme of oci:// will fetch - experimental helm oci chart (v0.19.0+) (required) - type: string - type: object - version: - type: string - type: object - http: - description: Uses http library to fetch file - properties: - secretRef: - description: 'Secret to provide auth details (optional) - Secret may include one or more keys: username, password' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - sha256: - description: Checksum to verify after download (optional) - type: string - subPath: - description: Grab only portion of download (optional) - type: string - url: - description: 'URL can point to one of following formats: - text, tgz, zip http and https url are supported; plain - file, tgz and tar types are supported (required)' - type: string - type: object - image: - description: Pulls content from Docker/OCI registry - properties: - secretRef: - description: 'Secret may include one or more keys: username, - password, token. By default anonymous access is used for - authentication.' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - subPath: - description: Grab only portion of image (optional) - type: string - tagSelection: - description: Specifies a strategy to choose a tag (optional; - v0.24.0+) if specified, do not include a tag in url key - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - url: - description: 'Docker image url; unqualified, tagged, or - digest references supported (required) Example: username/app1-config:v0.1.0' - type: string - type: object - imgpkgBundle: - description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+) - properties: - image: - description: Docker image url; unqualified, tagged, or digest - references supported (required) - type: string - secretRef: - description: 'Secret may include one or more keys: username, - password, token. By default anonymous access is used for - authentication.' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - tagSelection: - description: Specifies a strategy to choose a tag (optional; - v0.24.0+) if specified, do not include a tag in url key - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - type: object - inline: - description: Pulls content from within this resource; or other - resources in the cluster - properties: - paths: - additionalProperties: - type: string - description: Specifies mapping of paths to their content; - not recommended for sensitive values as CR is not encrypted - (optional) - type: object - pathsFrom: - description: Specifies content via secrets and config maps; - data values are recommended to be placed in secrets (optional) - items: - properties: - configMapRef: - properties: - directoryPath: - description: Specifies where to place files found - in secret (optional) - type: string - name: - type: string - type: object - secretRef: - properties: - directoryPath: - description: Specifies where to place files found - in secret (optional) - type: string - name: - type: string - type: object - type: object - type: array - type: object - path: - description: Relative path to place the fetched artifacts - type: string - type: object - type: array - noopDelete: - description: Deletion requests for the App will result in the App - CR being deleted, but its associated resources will not be deleted - (optional; default=false; v0.18.0+) - type: boolean - paused: - description: Pauses _future_ reconciliation; does _not_ affect currently - running reconciliation (optional; default=false) - type: boolean - serviceAccountName: - description: Specifies that app should be deployed authenticated via - given service account, found in this namespace (optional; v0.6.0+) - type: string - syncPeriod: - description: Specifies the length of time to wait, in time + unit - format, before reconciling. Always >= 30s. If value below 30s is - specified, 30s will be used. (optional; v0.9.0+; default=30s) - type: string - template: - items: - properties: - cue: - properties: - inputExpression: - description: Cue expression for single path component, can - be used to unify ValuesFrom into a given field (optional) - type: string - outputExpression: - description: Cue expression to output, default will export - all visible fields (optional) - type: string - paths: - description: Explicit list of files/directories (optional) - items: - type: string - type: array - valuesFrom: - description: Provide values (optional) - items: - properties: - configMapRef: - properties: - name: - type: string - type: object - downwardAPI: - properties: - items: - items: - properties: - fieldPath: - description: 'Required: Selects a field - of the app: only annotations, labels, - uid, name and namespace are supported.' - type: string - kappControllerVersion: - description: 'Optional: Get running KappController - version, defaults (empty) to retrieving - the current running version.. Can be manually - supplied instead.' - properties: - version: - type: string - type: object - kubernetesAPIs: - description: 'Optional: Get running KubernetesAPIs - from cluster, defaults (empty) to retrieving - the APIs from the cluster. Can be manually - supplied instead, e.g ["group/version", - "group2/version2"]' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get running Kubernetes - version from cluster, defaults (empty) - to retrieving the version from the cluster. - Can be manually supplied instead.' - properties: - version: - type: string - type: object - name: - type: string - type: object - type: array - type: object - path: - type: string - secretRef: - properties: - name: - type: string - type: object - type: object - type: array - type: object - helmTemplate: - description: Use helm template command to render helm chart - properties: - kubernetesAPIs: - description: 'Optional: Use kubernetes group/versions resources - available in the live cluster' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get Kubernetes version, defaults - (empty) to retrieving the version from the cluster. Can - be manually overridden to a value instead.' - properties: - version: - type: string - type: object - name: - description: Set name explicitly, default is App CR's name - (optional; v0.13.0+) - type: string - namespace: - description: Set namespace explicitly, default is App CR's - namespace (optional; v0.13.0+) - type: string - path: - description: Path to chart (optional; v0.13.0+) - type: string - valuesFrom: - description: One or more secrets, config maps, paths that - provide values (optional) - items: - properties: - configMapRef: - properties: - name: - type: string - type: object - downwardAPI: - properties: - items: - items: - properties: - fieldPath: - description: 'Required: Selects a field - of the app: only annotations, labels, - uid, name and namespace are supported.' - type: string - kappControllerVersion: - description: 'Optional: Get running KappController - version, defaults (empty) to retrieving - the current running version.. Can be manually - supplied instead.' - properties: - version: - type: string - type: object - kubernetesAPIs: - description: 'Optional: Get running KubernetesAPIs - from cluster, defaults (empty) to retrieving - the APIs from the cluster. Can be manually - supplied instead, e.g ["group/version", - "group2/version2"]' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get running Kubernetes - version from cluster, defaults (empty) - to retrieving the version from the cluster. - Can be manually supplied instead.' - properties: - version: - type: string - type: object - name: - type: string - type: object - type: array - type: object - path: - type: string - secretRef: - properties: - name: - type: string - type: object - type: object - type: array - type: object - jsonnet: - description: TODO implement jsonnet - type: object - kbld: - description: Use kbld to resolve image references to use digests - properties: - paths: - items: - type: string - type: array - type: object - kustomize: - description: TODO implement kustomize - type: object - sops: - description: Use sops to decrypt *.sops.yml files (optional; - v0.11.0+) - properties: - age: - properties: - privateKeysSecretRef: - description: Secret with private armored PGP private - keys (required) - properties: - name: - type: string - type: object - type: object - paths: - description: Lists paths to decrypt explicitly (optional; - v0.13.0+) - items: - type: string - type: array - pgp: - description: Use PGP to decrypt files (required) - properties: - privateKeysSecretRef: - description: Secret with private armored PGP private - keys (required) - properties: - name: - type: string - type: object - type: object - type: object - ytt: - description: Use ytt to template configuration - properties: - fileMarks: - description: Control metadata about input files passed to - ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ - for more details - items: - type: string - type: array - ignoreUnknownComments: - description: Ignores comments that ytt doesn't recognize - (optional; default=false) - type: boolean - inline: - description: Specify additional files, including data values - (optional) - properties: - paths: - additionalProperties: - type: string - description: Specifies mapping of paths to their content; - not recommended for sensitive values as CR is not - encrypted (optional) - type: object - pathsFrom: - description: Specifies content via secrets and config - maps; data values are recommended to be placed in - secrets (optional) - items: - properties: - configMapRef: - properties: - directoryPath: - description: Specifies where to place files - found in secret (optional) - type: string - name: - type: string - type: object - secretRef: - properties: - directoryPath: - description: Specifies where to place files - found in secret (optional) - type: string - name: - type: string - type: object - type: object - type: array - type: object - paths: - description: Lists paths to provide to ytt explicitly (optional) - items: - type: string - type: array - strict: - description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md - (optional; default=false) - type: boolean - valuesFrom: - description: Provide values via ytt's --data-values-file - (optional; v0.19.0-alpha.9) - items: - properties: - configMapRef: - properties: - name: - type: string - type: object - downwardAPI: - properties: - items: - items: - properties: - fieldPath: - description: 'Required: Selects a field - of the app: only annotations, labels, - uid, name and namespace are supported.' - type: string - kappControllerVersion: - description: 'Optional: Get running KappController - version, defaults (empty) to retrieving - the current running version.. Can be manually - supplied instead.' - properties: - version: - type: string - type: object - kubernetesAPIs: - description: 'Optional: Get running KubernetesAPIs - from cluster, defaults (empty) to retrieving - the APIs from the cluster. Can be manually - supplied instead, e.g ["group/version", - "group2/version2"]' - properties: - groupVersions: - items: - type: string - type: array - type: object - kubernetesVersion: - description: 'Optional: Get running Kubernetes - version from cluster, defaults (empty) - to retrieving the version from the cluster. - Can be manually supplied instead.' - properties: - version: - type: string - type: object - name: - type: string - type: object - type: array - type: object - path: - type: string - secretRef: - properties: - name: - type: string - type: object - type: object - type: array - type: object - type: object - type: array - type: object - status: - properties: - conditions: - items: - properties: - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, this should be a short, machine understandable - string that gives the reason for condition's last transition. - If it reports "ResizeStarted" that means the underlying persistent - volume is being resized. - type: string - status: - type: string - type: - description: ConditionType represents reconciler state - type: string - required: - - status - - type - type: object - type: array - consecutiveReconcileFailures: - type: integer - consecutiveReconcileSuccesses: - type: integer - deploy: - properties: - error: - type: string - exitCode: - type: integer - finished: - type: boolean - kapp: - description: KappDeployStatus contains the associated AppCR deployed - resources - properties: - associatedResources: - description: AssociatedResources contains the associated App - label, namespaces and GKs - properties: - groupKinds: - items: - description: GroupKind specifies a Group and a Kind, - but does not force a version. This is useful for - identifying concepts during lookup stages without - having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - label: - type: string - namespaces: - items: - type: string - type: array - type: object - type: object - startedAt: - format: date-time - type: string - stderr: - type: string - stdout: - type: string - updatedAt: - format: date-time - type: string - type: object - fetch: - properties: - error: - type: string - exitCode: - type: integer - startedAt: - format: date-time - type: string - stderr: - type: string - stdout: - type: string - updatedAt: - format: date-time - type: string - type: object - friendlyDescription: - type: string - inspect: - properties: - error: - type: string - exitCode: - type: integer - stderr: - type: string - stdout: - type: string - updatedAt: - format: date-time - type: string - type: object - managedAppName: - type: string - observedGeneration: - description: Populated based on metadata.generation when controller - observes a change to the resource; if this value is out of data, - other status fields do not reflect latest state - format: int64 - type: integer - template: - properties: - error: - type: string - exitCode: - type: integer - stderr: - type: string - updatedAt: - format: date-time - type: string - type: object - usefulErrorMessage: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: packageinstalls.packaging.carvel.dev -spec: - group: packaging.carvel.dev - names: - categories: - - carvel - kind: PackageInstall - listKind: PackageInstallList - plural: packageinstalls - shortNames: - - pkgi - singular: packageinstall - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: PackageMetadata name - jsonPath: .spec.packageRef.refName - name: Package name - type: string - - description: PackageMetadata version - jsonPath: .status.version - name: Package version - type: string - - description: Friendly description - jsonPath: .status.friendlyDescription - name: Description - type: string - - description: Time since creation - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: A Package Install is an actual installation of a package and - its underlying resources on a Kubernetes cluster. It is represented in kapp-controller - by a PackageInstall CR. A PackageInstall CR must reference a Package CR. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - canceled: - description: Canceled when set to true will stop all active changes - type: boolean - cluster: - description: Specifies that Package should be deployed to destination - cluster; by default, cluster is same as where this resource resides - (optional) - properties: - kubeconfigSecretRef: - description: Specifies secret containing kubeconfig (required) - properties: - key: - description: Specifies key that contains kubeconfig (optional) - type: string - name: - description: Specifies secret name within app's namespace - (required) - type: string - type: object - namespace: - description: Specifies namespace in destination cluster (optional) - type: string - type: object - noopDelete: - description: When NoopDelete set to true, PackageInstall deletion - should delete PackageInstall/App CR but preserve App's associated - resources. - type: boolean - packageRef: - description: Specifies the name of the package to install (required) - properties: - refName: - type: string - versionSelection: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - paused: - description: Paused when set to true will ignore all pending changes, - once it set back to false, pending changes will be applied - type: boolean - serviceAccountName: - description: Specifies service account that will be used to install - underlying package contents - type: string - syncPeriod: - description: Controls frequency of App reconciliation in time + unit - format. Always >= 30s. If value below 30s is specified, 30s will - be used. - type: string - values: - description: Values to be included in package's templating step (currently - only included in the first templating step) (optional) - items: - properties: - secretRef: - properties: - key: - type: string - name: - type: string - type: object - type: object - type: array - type: object - status: - properties: - conditions: - items: - properties: - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, this should be a short, machine understandable - string that gives the reason for condition's last transition. - If it reports "ResizeStarted" that means the underlying persistent - volume is being resized. - type: string - status: - type: string - type: - description: ConditionType represents reconciler state - type: string - required: - - status - - type - type: object - type: array - friendlyDescription: - type: string - lastAttemptedVersion: - description: LastAttemptedVersion specifies what version was last - attempted to be installed. It does _not_ indicate it was successfully - installed. - type: string - observedGeneration: - description: Populated based on metadata.generation when controller - observes a change to the resource; if this value is out of data, - other status fields do not reflect latest state - format: int64 - type: integer - usefulErrorMessage: - type: string - version: - description: TODO this is desired resolved version (not actually deployed) - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - packaging.carvel.dev/global-namespace: kapp-controller-packaging-global - name: packagerepositories.packaging.carvel.dev -spec: - group: packaging.carvel.dev - names: - categories: - - carvel - kind: PackageRepository - listKind: PackageRepositoryList - plural: packagerepositories - shortNames: - - pkgr - singular: packagerepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Time since creation - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Friendly description - jsonPath: .status.friendlyDescription - name: Description - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: A package repository is a collection of packages and their metadata. - Similar to a maven repository or a rpm repository, adding a package repository - to a cluster gives users of that cluster the ability to install any of the - packages from that repository. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - fetch: - properties: - git: - description: Uses git to clone repository containing package list - properties: - lfsSkipSmudge: - description: Skip lfs download (optional) - type: boolean - ref: - description: Branch, tag, commit; origin is the name of the - remote (optional) - type: string - refSelection: - description: Specifies a strategy to resolve to an explicit - ref (optional; v0.24.0+) - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - secretRef: - description: 'Secret with auth details. allowed keys: ssh-privatekey, - ssh-knownhosts, username, password (optional) (if ssh-knownhosts - is not specified, git will not perform strict host checking)' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - subPath: - description: Grab only portion of repository (optional) - type: string - url: - description: http or ssh urls are supported (required) - type: string - type: object - http: - description: Uses http library to fetch file containing packages - properties: - secretRef: - description: 'Secret to provide auth details (optional) Secret - may include one or more keys: username, password' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - sha256: - description: Checksum to verify after download (optional) - type: string - subPath: - description: Grab only portion of download (optional) - type: string - url: - description: 'URL can point to one of following formats: text, - tgz, zip http and https url are supported; plain file, tgz - and tar types are supported (required)' - type: string - type: object - image: - description: Image url; unqualified, tagged, or digest references - supported (required) - properties: - secretRef: - description: 'Secret may include one or more keys: username, - password, token. By default anonymous access is used for - authentication.' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - subPath: - description: Grab only portion of image (optional) - type: string - tagSelection: - description: Specifies a strategy to choose a tag (optional; - v0.24.0+) if specified, do not include a tag in url key - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - url: - description: 'Docker image url; unqualified, tagged, or digest - references supported (required) Example: username/app1-config:v0.1.0' - type: string - type: object - imgpkgBundle: - description: Pulls imgpkg bundle from Docker/OCI registry - properties: - image: - description: Docker image url; unqualified, tagged, or digest - references supported (required) - type: string - secretRef: - description: 'Secret may include one or more keys: username, - password, token. By default anonymous access is used for - authentication.' - properties: - name: - description: Object is expected to be within same namespace - type: string - type: object - tagSelection: - description: Specifies a strategy to choose a tag (optional; - v0.24.0+) if specified, do not include a tag in url key - properties: - semver: - properties: - constraints: - type: string - prereleases: - properties: - identifiers: - items: - type: string - type: array - type: object - type: object - type: object - type: object - inline: - description: Pull content from within this resource; or other - resources in the cluster - properties: - paths: - additionalProperties: - type: string - description: Specifies mapping of paths to their content; - not recommended for sensitive values as CR is not encrypted - (optional) - type: object - pathsFrom: - description: Specifies content via secrets and config maps; - data values are recommended to be placed in secrets (optional) - items: - properties: - configMapRef: - properties: - directoryPath: - description: Specifies where to place files found - in secret (optional) - type: string - name: - type: string - type: object - secretRef: - properties: - directoryPath: - description: Specifies where to place files found - in secret (optional) - type: string - name: - type: string - type: object - type: object - type: array - type: object - type: object - paused: - description: Paused when set to true will ignore all pending changes, - once it set back to false, pending changes will be applied - type: boolean - syncPeriod: - description: Controls frequency of PackageRepository reconciliation - type: string - required: - - fetch - type: object - status: - properties: - conditions: - items: - properties: - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, this should be a short, machine understandable - string that gives the reason for condition's last transition. - If it reports "ResizeStarted" that means the underlying persistent - volume is being resized. - type: string - status: - type: string - type: - description: ConditionType represents reconciler state - type: string - required: - - status - - type - type: object - type: array - consecutiveReconcileFailures: - type: integer - consecutiveReconcileSuccesses: - type: integer - deploy: - properties: - error: - type: string - exitCode: - type: integer - finished: - type: boolean - kapp: - description: KappDeployStatus contains the associated AppCR deployed - resources - properties: - associatedResources: - description: AssociatedResources contains the associated App - label, namespaces and GKs - properties: - groupKinds: - items: - description: GroupKind specifies a Group and a Kind, - but does not force a version. This is useful for - identifying concepts during lookup stages without - having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - label: - type: string - namespaces: - items: - type: string - type: array - type: object - type: object - startedAt: - format: date-time - type: string - stderr: - type: string - stdout: - type: string - updatedAt: - format: date-time - type: string - type: object - fetch: - properties: - error: - type: string - exitCode: - type: integer - startedAt: - format: date-time - type: string - stderr: - type: string - stdout: - type: string - updatedAt: - format: date-time - type: string - type: object - friendlyDescription: - type: string - observedGeneration: - description: Populated based on metadata.generation when controller - observes a change to the resource; if this value is out of data, - other status fields do not reflect latest state - format: int64 - type: integer - template: - properties: - error: - type: string - exitCode: - type: integer - stderr: - type: string - updatedAt: - format: date-time - type: string - type: object - usefulErrorMessage: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - kapp-controller.carvel.dev/version: v0.47.0 - kbld.k14s.io/images: | - - origins: - - local: - path: /home/runner/work/kapp-controller/kapp-controller - - git: - dirty: true - remoteURL: https://github.com/carvel-dev/kapp-controller - sha: 2165849357e783c711ff11e500a8a763c3a7b0a5 - tags: - - v0.47.0 - url: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6 - name: kapp-controller - namespace: kapp-controller -spec: - replicas: 1 - revisionHistoryLimit: 0 - selector: - matchLabels: - app: kapp-controller - template: - metadata: - labels: - app: kapp-controller - spec: - containers: - - args: - - -packaging-global-namespace=kapp-controller-packaging-global - - -enable-api-priority-and-fairness=True - - -tls-cipher-suites= - env: - - name: KAPPCTRL_MEM_TMP_DIR - value: /etc/kappctrl-mem-tmp - - name: KAPPCTRL_SIDECAREXEC_SOCK - value: /etc/kappctrl-mem-tmp/sidecarexec.sock - - name: KAPPCTRL_SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KAPPCTRL_API_PORT - value: "10350" - image: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6 - name: kapp-controller - ports: - - containerPort: 10350 - name: api - protocol: TCP - resources: - requests: - cpu: 120m - memory: 100Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /etc/kappctrl-mem-tmp - name: template-fs - - mountPath: /home/kapp-controller - name: home - - args: - - --sidecarexec - env: - - name: KAPPCTRL_SIDECAREXEC_SOCK - value: /etc/kappctrl-mem-tmp/sidecarexec.sock - - name: IMGPKG_ACTIVE_KEYCHAINS - value: gke,aks,ecr - image: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6 - name: kapp-controller-sidecarexec - resources: - requests: - cpu: 120m - memory: 100Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: false - runAsNonRoot: true - volumeMounts: - - mountPath: /etc/kappctrl-mem-tmp - name: template-fs - - mountPath: /home/kapp-controller - name: home - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: empty-sa - serviceAccount: kapp-controller-sa - volumes: - - emptyDir: - medium: Memory - name: template-fs - - emptyDir: - medium: Memory - name: home - - emptyDir: {} - name: empty-sa ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kapp-controller-sa - namespace: kapp-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kapp-controller-cluster-role -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - kappctrl.k14s.io - resources: - - apps - - apps/status - verbs: - - '*' -- apiGroups: - - packaging.carvel.dev - resources: - - packageinstalls - - packageinstalls/status - - packageinstalls/finalizers - verbs: - - '*' -- apiGroups: - - packaging.carvel.dev - resources: - - packagerepositories - - packagerepositories/status - verbs: - - '*' -- apiGroups: - - internal.packaging.carvel.dev - resources: - - internalpackagemetadatas - verbs: - - '*' -- apiGroups: - - data.packaging.carvel.dev - resources: - - packagemetadatas - - packagemetadatas/status - verbs: - - '*' -- apiGroups: - - internal.packaging.carvel.dev - resources: - - internalpackages - verbs: - - '*' -- apiGroups: - - data.packaging.carvel.dev - resources: - - packages - - packages/status - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - verbs: - - '*' -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - update - - get -- apiGroups: - - "" - resources: - - namespaces - verbs: - - list - - watch - - get - - update -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - list - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - list - - watch -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - flowcontrol.apiserver.k8s.io - resources: - - prioritylevelconfigurations - - flowschemas - verbs: - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kapp-controller-user-role -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - kappctrl.k14s.io - resources: - - apps - - apps/status - verbs: - - '*' -- apiGroups: - - packaging.carvel.dev - resources: - - packageinstalls - - packageinstalls/status - - packageinstalls/finalizers - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - verbs: - - '*' -- apiGroups: - - packaging.carvel.dev - resources: - - packagerepositories - - packagerepositories/status - verbs: - - get - - list - - watch -- apiGroups: - - internal.packaging.carvel.dev - resources: - - internalpackagemetadatas - verbs: - - get - - list - - watch -- apiGroups: - - data.packaging.carvel.dev - resources: - - packagemetadatas - - packagemetadatas/status - verbs: - - get - - list - - watch -- apiGroups: - - internal.packaging.carvel.dev - resources: - - internalpackages - verbs: - - get - - list - - watch -- apiGroups: - - data.packaging.carvel.dev - resources: - - packages - - packages/status - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kapp-controller-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kapp-controller-cluster-role -subjects: -- kind: ServiceAccount - name: kapp-controller-sa - namespace: kapp-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: pkg-apiserver:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: kapp-controller-sa - namespace: kapp-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: pkgserver-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: kapp-controller-sa - namespace: kapp-controller diff --git a/deploy_carvel/_dev.SCRATCH/supervisor.deployment.old.yaml b/deploy_carvel/_dev.SCRATCH/supervisor.deployment.old.yaml deleted file mode 100644 index 90f244f6..00000000 --- a/deploy_carvel/_dev.SCRATCH/supervisor.deployment.old.yaml +++ /dev/null @@ -1,235 +0,0 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. -#! SPDX-License-Identifier: Apache-2.0 - -#@ load("@ytt:data", "data") -#@ load("@ytt:yaml", "yaml") -#@ load("helpers.lib.yaml", -#@ "defaultLabel", -#@ "labels", -#@ "deploymentPodLabel", -#@ "namespace", -#@ "defaultResourceName", -#@ "defaultResourceNameWithSuffix", -#@ "pinnipedDevAPIGroupWithPrefix", -#@ "getPinnipedConfigMapData", -#@ "hasUnixNetworkEndpoint", -#@ ) -#@ load("@ytt:template", "template") -#@ if not data.values.into_namespace: ---- -apiVersion: v1 -kind: Namespace -metadata: - name: #@ data.values.namespace - labels: #@ labels() -#@ end ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: #@ defaultResourceName() - namespace: #@ namespace() - labels: #@ labels() ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: #@ defaultResourceNameWithSuffix("static-config") - namespace: #@ namespace() - labels: #@ labels() -data: - #@yaml/text-templated-strings - pinniped.yaml: #@ yaml.encode(getPinnipedConfigMapData()) ---- -#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": -apiVersion: v1 -kind: Secret -metadata: - name: image-pull-secret - namespace: #@ namespace() - labels: #@ labels() -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson -#@ end ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: #@ defaultResourceName() - namespace: #@ namespace() - labels: #@ labels() -spec: - replicas: #@ data.values.replicas - selector: - #! In hindsight, this should have been deploymentPodLabel(), but this field is immutable so changing it would break upgrades. - matchLabels: #@ defaultLabel() - template: - metadata: - labels: - #! This has always included defaultLabel(), which is used by this Deployment's selector. - _: #@ template.replace(defaultLabel()) - #! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically - #! without accidentally selecting pods from any future Deployments which might also want to use the defaultLabel(). - _: #@ template.replace(deploymentPodLabel()) - spec: - securityContext: - runAsUser: #@ data.values.run_as_user - runAsGroup: #@ data.values.run_as_group - serviceAccountName: #@ defaultResourceName() - #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": - imagePullSecrets: - - name: image-pull-secret - #@ end - containers: - - name: #@ defaultResourceName() - #@ if data.values.image_digest: - image: #@ data.values.image_repo + "@" + data.values.image_digest - #@ else: - image: #@ data.values.image_repo + ":" + data.values.image_tag - #@ end - imagePullPolicy: IfNotPresent - command: - - pinniped-supervisor - - /etc/podinfo - - /etc/config/pinniped.yaml - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: [ "ALL" ] - #! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a - #! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's - #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error. - seccompProfile: - type: "RuntimeDefault" - resources: - requests: - #! If OIDCClient CRs are being used, then the Supervisor needs enough CPU to run expensive bcrypt - #! operations inside the implementation of the token endpoint for any authcode flows performed by those - #! clients, so for that use case administrators may wish to increase the requests.cpu value to more - #! closely align with their anticipated needs. Increasing this value will cause Kubernetes to give more - #! available CPU to this process during times of high CPU contention. By default, don't ask for too much - #! because that would make it impossible to install the Pinniped Supervisor on small clusters. - #! Aside from performing bcrypts at the token endpoint for those clients, the Supervisor is not a - #! particularly CPU-intensive process. - cpu: "100m" #! by default, request one-tenth of a CPU - memory: "128Mi" - limits: - #! By declaring a CPU limit that is not equal to the CPU request value, the Supervisor will be classified - #! by Kubernetes to have "burstable" quality of service. - #! See https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-burstable - #! If OIDCClient CRs are being used, and lots of simultaneous users have active sessions, then it is hard - #! pre-determine what the CPU limit should be for that use case. Guessing too low would cause the - #! pod's CPU usage to be throttled, resulting in poor performance. Guessing too high would allow clients - #! to cause the usage of lots of CPU resources. Administrators who have a good sense of anticipated usage - #! patterns may choose to set the requests.cpu and limits.cpu differently from these defaults. - cpu: "1000m" #! by default, throttle each pod's usage at 1 CPU - memory: "128Mi" - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: podinfo - mountPath: /etc/podinfo - readOnly: true - #@ if hasUnixNetworkEndpoint(): - - name: socket - mountPath: /pinniped_socket - readOnly: false #! writable to allow for socket use - #@ end - ports: - - containerPort: 8443 - protocol: TCP - env: - #@ if data.values.https_proxy: - - name: HTTPS_PROXY - value: #@ data.values.https_proxy - #@ end - #@ if data.values.https_proxy and data.values.no_proxy: - - name: NO_PROXY - value: #@ data.values.no_proxy - #@ end - livenessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 15 - periodSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 3 - volumes: - - name: config-volume - configMap: - name: #@ defaultResourceNameWithSuffix("static-config") - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "namespace" - fieldRef: - fieldPath: metadata.namespace - - path: "name" - fieldRef: - fieldPath: metadata.name - #@ if hasUnixNetworkEndpoint(): - - name: socket - emptyDir: {} - #@ end - #! This will help make sure our multiple pods run on different nodes, making - #! our deployment "more" "HA". - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 50 - podAffinityTerm: - labelSelector: - matchLabels: #@ deploymentPodLabel() - topologyKey: kubernetes.io/hostname ---- -apiVersion: v1 -kind: Service -metadata: - #! If name is changed, must also change names.apiService in the ConfigMap above and spec.service.name in the APIService below. - name: #@ defaultResourceNameWithSuffix("api") - namespace: #@ namespace() - labels: #@ labels() - #! prevent kapp from altering the selector of our services to match kubectl behavior - annotations: - kapp.k14s.io/disable-default-label-scoping-rules: "" -spec: - type: ClusterIP - selector: #@ deploymentPodLabel() - ports: - - protocol: TCP - port: 443 - targetPort: 10250 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: #@ pinnipedDevAPIGroupWithPrefix("v1alpha1.clientsecret.supervisor") - labels: #@ labels() -spec: - version: v1alpha1 - group: #@ pinnipedDevAPIGroupWithPrefix("clientsecret.supervisor") - groupPriorityMinimum: 9900 - versionPriority: 15 - #! caBundle: Do not include this key here. Starts out null, will be updated/owned by the golang code. - service: - name: #@ defaultResourceNameWithSuffix("api") - namespace: #@ namespace() - port: 443