djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix prepare-for-integration-tests.sh with carvel packages

Browse Source
This commit is contained in:
Benjamin A. Petersen 2023-10-03 12:28:00 -04:00
parent de1bbde2cc
commit cb6d299156
No known key found for this signature in database
GPG Key ID: EF6EF83523A4BE46
12 changed files with 981 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deploy_carvel/concierge-pkginstall.yml
View File

@ -10,7 +10,7 @@ spec:
packageRef:
refName: "concierge.pinniped.dev"
versionSelection:
constraints: "0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7"
constraints: "0.0.0-F3326187-009A-4313-B188-1B454D1A7E04"
values:
- secretRef:
name: "concierge-package-install-secret"
@ -29,4 +29,4 @@ stringData:
log_level: debug
image_repo: kind-registry.local:5000/test/build
image_tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
image_tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04

155
deploy_carvel/concierge/schema-openapi.yaml Normal file
View File

@ -0,0 +1,155 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-concierge.
default: pinniped-concierge
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-concierge
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: {}
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
kube_cert_agent_image:
type: string
nullable: true
description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
default: null
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
discovery_url:
type: string
nullable: true
description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
default: null
api_serving_certificate_duration_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2592000
api_serving_certificate_renew_before_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2160000
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
impersonation_proxy_spec:
type: object
additionalProperties: false
description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
properties:
mode:
type: string
description: If enabled, the impersonation proxy will always run regardless of other strategies available.
default: auto
external_endpoint:
type: string
nullable: true
description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
default: null
service:
type: object
additionalProperties: false
description: The impersonation proxy service configuration
properties:
type:
type: string
nullable: true
description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
default: null
annotations:
type: object
additionalProperties: false
nullable: true
description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
properties:
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
type: string
default: "4000"
load_balancer_ip:
type: string
nullable: true
description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
default: null
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local

9
deploy_carvel/local-user-authenticator-pkginstall.yml
View File

@ -10,7 +10,7 @@ spec:
packageRef:
refName: "local-user-authenticator.pinniped.dev"
versionSelection:
constraints: "0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7"
constraints: "0.0.0-F3326187-009A-4313-B188-1B454D1A7E04"
values:
- secretRef:
name: "local-user-authenticator-package-install-secret"
@ -23,10 +23,5 @@ metadata:
stringData:
values.yml: |
---
app_name: pinniped-concierge
namespace: concierge
api_group_suffix: pinniped.dev
log_level: debug
image_repo: kind-registry.local:5000/test/build
image_tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
image_tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04

55
deploy_carvel/local-user-authenticator/schema-openapi.yaml Normal file
View File

@ -0,0 +1,55 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532

45
deploy_carvel/package_repository/.imgpkg/images.yml
View File

@ -2,45 +2,24 @@
apiVersion: imgpkg.carvel.dev/v1alpha1
images:
- annotations:
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
kbld.carvel.dev/origins: |
- resolved:
tag: 0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
url: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
image: kind-registry.local:5000/test/build/test/build-package-concierge@sha256:666682c02d09cef2d116152d4762e8af52c03bc133d06c91f8ea1ff2db605a90
tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
url: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
image: kind-registry.local:5000/test/build/test/build-package-concierge@sha256:ffc8371ff94e939233af0643476a597c025adb5609cc35c5ded6bd67ce13fdec
- annotations:
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
kbld.carvel.dev/origins: |
- resolved:
tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
url: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
image: kind-registry.local:5000/test/build/test/build-package-concierge@sha256:666682c02d09cef2d116152d4762e8af52c03bc133d06c91f8ea1ff2db605a90
tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
url: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator@sha256:4f111f27ecf38622e4cbb29ce1d88589b488d8eb57d9b29cb577d64a417a2c4c
- annotations:
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
kbld.carvel.dev/origins: |
- resolved:
tag: 0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
url: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator@sha256:a094c2971a8a24c3ab34e0146cbb540d6277e853bbc8fd3efb6691b174bb5709
- annotations:
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
kbld.carvel.dev/origins: |
- resolved:
tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
url: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator@sha256:a094c2971a8a24c3ab34e0146cbb540d6277e853bbc8fd3efb6691b174bb5709
- annotations:
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
kbld.carvel.dev/origins: |
- resolved:
tag: 0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
url: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8
image: kind-registry.local:5000/test/build/test/build-package-supervisor@sha256:28488e1c9bbf8988c9a9f70ae6478188b6ebe01522fe45029940ed21a2cf221f
- annotations:
kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
kbld.carvel.dev/origins: |
- resolved:
tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
url: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
image: kind-registry.local:5000/test/build/test/build-package-supervisor@sha256:28488e1c9bbf8988c9a9f70ae6478188b6ebe01522fe45029940ed21a2cf221f
tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
url: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
image: kind-registry.local:5000/test/build/test/build-package-supervisor@sha256:f3ceb23f0202c83955f4ad1a7836325340da25ebb6d2e14f02a66e915b4e09f5
kind: ImagesLock

173
deploy_carvel/package_repository/packages/concierge.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml Normal file
View File

@ -0,0 +1,173 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: concierge.pinniped.dev.0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
spec:
refName: concierge.pinniped.dev
version: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
releaseNotes: |
Initial release of the pinniped concierge package, TODO: AUTOMATE THIS??
valuesSchema:
openAPIv3:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-concierge.
default: pinniped-concierge
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-concierge
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: null
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
kube_cert_agent_image:
type: string
nullable: true
description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
default: null
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
discovery_url:
type: string
nullable: true
description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
default: null
api_serving_certificate_duration_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2592000
api_serving_certificate_renew_before_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2160000
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
impersonation_proxy_spec:
type: object
additionalProperties: false
description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
properties:
mode:
type: string
description: If enabled, the impersonation proxy will always run regardless of other strategies available.
default: auto
external_endpoint:
type: string
nullable: true
description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
default: null
service:
type: object
additionalProperties: false
description: The impersonation proxy service configuration
properties:
type:
type: string
nullable: true
description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
default: null
annotations:
type: object
additionalProperties: false
nullable: true
description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
properties:
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
type: string
default: "4000"
load_balancer_ip:
type: string
nullable: true
description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
default: null
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
template:
spec:
fetch:
- imgpkgBundle:
image: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
template:
- ytt:
paths:
- config/
- kbld:
paths:
- .imgpkg/images.yml
- '-'
deploy:
- kapp: {}

73
deploy_carvel/package_repository/packages/local-user-authenticator.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml Normal file
View File

@ -0,0 +1,73 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: local-user-authenticator.pinniped.dev.0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
spec:
refName: local-user-authenticator.pinniped.dev
version: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
releaseNotes: |
Initial release of the local-user-authenticator package, TODO: AUTOMATE THIS??
valuesSchema:
openAPIv3:
type: object
additionalProperties: false
properties:
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
template:
spec:
fetch:
- imgpkgBundle:
image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
template:
- ytt:
paths:
- config/
- kbld:
paths:
- .imgpkg/images.yml
- '-'
deploy:
- kapp: {}

182
deploy_carvel/package_repository/packages/supervisor.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml Normal file
View File

@ -0,0 +1,182 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: supervisor.pinniped.dev.0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
spec:
refName: supervisor.pinniped.dev
version: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
releaseNotes: |
Initial release of the pinniped supervisor package, TODO: AUTOMATE THIS??
valuesSchema:
openAPIv3:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-supervisor.
default: pinniped-supervisor
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-supervisor
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: null
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
deprecated_service_http_nodeport_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_nodeport_nodeport:
type: integer
nullable: true
description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
default: null
deprecated_service_http_loadbalancer_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_clusterip_port:
type: integer
nullable: true
description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
default: null
service_https_nodeport_port:
type: integer
nullable: true
description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_nodeport_nodeport:
type: integer
nullable: true
description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
default: null
service_https_loadbalancer_port:
type: integer
nullable: true
description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_clusterip_port:
type: integer
nullable: true
description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_loadbalancer_ip:
type: string
nullable: true
description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
default: null
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
endpoints:
type: object
additionalProperties: false
nullable: true
description: Control the HTTP and HTTPS listeners of the Supervisor.
properties:
https:
type: object
additionalProperties: false
properties:
network:
type: string
default: tcp
address:
type: string
default: 1.2.3.4:5678
deprecated_insecure_accept_external_unencrypted_http_requests:
type: boolean
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: false
template:
spec:
fetch:
- imgpkgBundle:
image: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
template:
- ytt:
paths:
- config/
- kbld:
paths:
- .imgpkg/images.yml
- '-'
deploy:
- kapp: {}

4
deploy_carvel/supervisor-pkginstall.yml
View File

@ -10,7 +10,7 @@ spec:
packageRef:
refName: "supervisor.pinniped.dev"
versionSelection:
constraints: "0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7"
constraints: "0.0.0-F3326187-009A-4313-B188-1B454D1A7E04"
values:
- secretRef:
name: "supervisor-package-install-secret"
@ -27,7 +27,7 @@ stringData:
namespace: supervisor
api_group_suffix: pinniped.dev
image_repo: kind-registry.local:5000/test/build
image_tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7
image_tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04
log_level: debug
service_https_nodeport_port: 443

164
deploy_carvel/supervisor/schema-openapi.yaml Normal file
View File

@ -0,0 +1,164 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-supervisor.
default: pinniped-supervisor
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-supervisor
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: {}
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
deprecated_service_http_nodeport_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_nodeport_nodeport:
type: integer
nullable: true
description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
default: null
deprecated_service_http_loadbalancer_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_clusterip_port:
type: integer
nullable: true
description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
default: null
service_https_nodeport_port:
type: integer
nullable: true
description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_nodeport_nodeport:
type: integer
nullable: true
description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
default: null
service_https_loadbalancer_port:
type: integer
nullable: true
description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_clusterip_port:
type: integer
nullable: true
description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_loadbalancer_ip:
type: string
nullable: true
description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
default: null
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
endpoints:
type: object
additionalProperties: false
nullable: true
description: Control the HTTP and HTTPS listeners of the Supervisor.
properties:
https:
type: object
additionalProperties: false
properties:
network:
type: string
default: tcp
address:
type: string
default: 1.2.3.4:5678
deprecated_insecure_accept_external_unencrypted_http_requests:
type: boolean
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: false

260
hack/build-carvel-packages.sh
View File

@ -80,7 +80,7 @@ kapp deploy --app kapp-controller --file "https://github.com/vmware-tanzu/carvel
kubectl get customresourcedefinitions
# Generate the OpenAPI v3 Schema files, imgpkg images.yml files
declare -a arr=("supervisor" "concierge" "local-user-authenticator")
declare -a arr=("local-user-authenticator" "concierge" "supervisor")
for resource_name in "${arr[@]}"
do
resource_qualified_name="${resource_name}.${api_group_suffix}"
@ -88,11 +88,12 @@ do
resource_dir="deploy_carvel/${resource_name}"
resource_config_source_dir="deploy/${resource_name}"
resource_config_destination_dir="deploy_carvel/${resource_name}/config"
resource_destination_dir="deploy_carvel/${resource_name}"
resource_config_destination_dir="${resource_destination_dir}/config"
# these must be real files, not symlinks
log_note "Vendir sync deploy directory for ${resource_name} to package bundle..."
pushd "${resource_config_destination_dir}" > /dev/null
pushd "${resource_destination_dir}" > /dev/null
vendir sync
popd > /dev/null
@ -122,6 +123,9 @@ do
# TODO: what is package_image_repo?
# TODO: package_version should just become version, no need for it to not match.
package_repository_dir="deploy_carvel/package_repository/packages/${resource_qualified_name}"
rm -rf "${package_repository_dir}"
mkdir "${package_repository_dir}"
ytt \
--file "${resource_dir}/package-template.yml" \
--data-value-file openapi="${resource_dir}/schema-openapi.yml" \
@ -130,6 +134,7 @@ do
cp "deploy_carvel/${resource_name}/metadata.yml" "${package_repository_dir}/metadata.yml"
done
log_note "Generating .imgpkg/images.yml for Pinniped PackageRepository bundle..."
mkdir -p "deploy_carvel/package_repository/.imgpkg"
kbld --file "deploy_carvel/package_repository/packages/" --imgpkg-lock-output "deploy_carvel/package_repository/.imgpkg/images.yml"
@ -142,9 +147,13 @@ log_note "Validating Pinniped PackageRepository bundle not empty /tmp/${package_
imgpkg pull --bundle "${package_repository_repo_tag}" --output "/tmp/${package_repository_repo_tag}"
## NOTE: could break apart here at a build and a deploy script.
log_note "deploying PackageRepository..."
pinniped_package_repository_name="pinniped-package-repository"
pinniped_package_repository_file="packagerepository.${pinniped_package_version}.yml"
pinniped_package_repository_file="packagerepository.${pinniped_package_version}.yml" # TODO: deploy_carvel/ dir...
echo -n "" > "${pinniped_package_repository_file}"
cat <<EOT >> "${pinniped_package_repository_file}"
---
@ -163,7 +172,6 @@ kapp deploy --app "${pinniped_package_repository_name}" --file "${pinniped_packa
kapp inspect --app "${pinniped_package_repository_name}" --tree
for resource_name in "${arr[@]}"
do
log_note "creating PackageInstall and RBAC for ${resource_name}..."
@ -213,8 +221,123 @@ EOF
kapp deploy --app "${pinniped_package_rbac_prefix}" --file "${pinniped_package_rbac_file}" -y
done
# start local-user-authenticator
# local-user-authenticator
log_note "deploying local-user-authenticator PackageInstall resources..."
resource_name="local-user-authenticator"
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "${resource_name}-package-install"
namespace: "${NAMESPACE}"
spec:
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
packageRef:
refName: "${RESOURCE_PACKAGE_VERSION}"
versionSelection:
constraints: "${pinniped_package_version}"
values:
- secretRef:
name: "${SECRET_NAME}"
---
apiVersion: v1
kind: Secret
metadata:
name: "${SECRET_NAME}"
namespace: "${NAMESPACE}"
stringData:
values.yml: |
---
image_repo: $registry_repo
image_tag: $tag
EOF
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
test_username="test-username"
test_groups="test-group-0,test-group-1"
test_password="$(openssl rand -hex 16)"
log_note "Creating test user '$test_username'..."
kubectl create secret generic "$test_username" \
--namespace local-user-authenticator \
--from-literal=groups="$test_groups" \
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
--dry-run=client \
--output yaml |
kubectl apply -f -
# end local-user-authenticator
# start concierge
log_note "deploying concierge PackageInstall resources..."
resource_name="concierge"
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
# from prepare-for-integration-tests.sh
concierge_app_name="pinniped-concierge"
concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug"
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "${resource_name}-package-install"
namespace: "${NAMESPACE}"
spec:
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
packageRef:
refName: "${RESOURCE_PACKAGE_VERSION}"
versionSelection:
constraints: "${pinniped_package_version}"
values:
- secretRef:
name: "${SECRET_NAME}"
---
apiVersion: v1
kind: Secret
metadata:
name: "${SECRET_NAME}"
namespace: "${NAMESPACE}"
stringData:
values.yml: |
---
app_name: $concierge_app_name
namespace: $concierge_namespace
api_group_suffix: $api_group_suffix
log_level: $log_level
image_repo: $registry_repo
image_tag: $tag
EOF
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
# end concierge
# start supervisor
log_note "deploying supervisor PackageInstall resources..."
resource_name="supervisor"
NAMESPACE="${resource_name}-install-ns"
@ -275,124 +398,23 @@ kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_N
# end supervisor
log_note "appending environment variables to /tmp/integration-test-env"
# TODO: since I pulled these out of the main script, I'll have to put them back as well.
# To be "finished" the scripts need to work for both the ytt deploy and the carvel package,
# regardless of which branch the user takes.
integration_env_file="/tmp/integration-test-env"
integration_env_file_text=$(cat "${integration_env_file}")
# concierge
log_note "deploying concierge PackageInstall resources..."
resource_name="concierge"
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
# from prepare-for-integration-tests.sh
concierge_app_name="pinniped-concierge"
concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug"
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "${resource_name}-package-install"
namespace: "${NAMESPACE}"
spec:
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
packageRef:
refName: "${RESOURCE_PACKAGE_VERSION}"
versionSelection:
constraints: "${pinniped_package_version}"
values:
- secretRef:
name: "${SECRET_NAME}"
---
apiVersion: v1
kind: Secret
metadata:
name: "${SECRET_NAME}"
namespace: "${NAMESPACE}"
stringData:
values.yml: |
---
app_name: $concierge_app_name
namespace: $concierge_namespace
api_group_suffix: $api_group_suffix
log_level: $log_level
image_repo: $registry_repo
image_tag: $tag
EOF
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
# end concierge
cat <<EOT >"${integration_env_file}"
export PINNIPED_TEST_USER_USERNAME=${test_username}
export PINNIPED_TEST_USER_GROUPS=${test_groups}
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
EOT
echo "${integration_env_file_text}" >> "${integration_env_file}"
# local-user-authenticator
log_note "deploying local-user-authenticator PackageInstall resources..."
resource_name="local-user-authenticator"
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
# from prepare-for-integration-tests.sh
concierge_app_name="pinniped-concierge"
concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug"
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "${resource_name}-package-install"
namespace: "${NAMESPACE}"
spec:
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
packageRef:
refName: "${RESOURCE_PACKAGE_VERSION}"
versionSelection:
constraints: "${pinniped_package_version}"
values:
- secretRef:
name: "${SECRET_NAME}"
---
apiVersion: v1
kind: Secret
metadata:
name: "${SECRET_NAME}"
namespace: "${NAMESPACE}"
stringData:
values.yml: |
---
app_name: $concierge_app_name
namespace: $concierge_namespace
api_group_suffix: $api_group_suffix
log_level: $log_level
image_repo: $registry_repo
image_tag: $tag
EOF
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
# end concierge
log_note "verifying PackageInstall resources..."
kubectl get PackageInstall -A | grep pinniped
kubectl get secret -A | grep pinniped

33
hack/prepare-for-integration-tests.sh
View File

@ -378,12 +378,15 @@ manifest=/tmp/pinniped-concierge.yaml
concierge_app_name="pinniped-concierge"
concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
webhook_ca_bundle="undefined" # TODO: need to fix this later
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug"
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_concierge" != "undefined" ] ; then
# TODO: this is typically needed to export below....
# our deploy_carvel script may need to append this to the same file.
webhook_ca_bundle="(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
if [ "$alternate_deploy" != "undefined" ]; then
log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag..."
$alternate_deploy pinniped-concierge $tag
@ -410,15 +413,6 @@ else
popd >/dev/null
fi
#
# Call a post-install script
# simplifies passing the $tag which may be necessary if the current local build is to be
# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
if [ "$post_install" != "undefined" ] ; then
log_note "The post-install script will be called with $tag..."
$post_install post-install-script $tag
fi
#
# Download the test CA bundle that was generated in the Dex pod.
# Note that this returns a base64 encoded value.
@ -435,15 +429,16 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index
kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
# TODO: fix this later
# export PINNIPED_TEST_USER_USERNAME=${test_username}
# export PINNIPED_TEST_USER_GROUPS=${test_groups}
# export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
cat <<EOF >/tmp/integration-test-env
# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name}
export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='${concierge_custom_labels}'
export PINNIPED_TEST_USER_USERNAME=${test_username}
export PINNIPED_TEST_USER_GROUPS=${test_groups}
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace}
@ -507,6 +502,18 @@ PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
EOF
#
# Call a post-install script
# simplifies passing the $tag which may be necessary if the current local build is to be
# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
# running it after the above also allows appending to the environment variable file
if [ "$post_install" != "undefined" ] ; then
log_note "The post-install script will be called with $tag..."
$post_install post-install-script $tag
fi
#
# Print instructions for next steps.
#