diff --git a/deploy_carvel/concierge-pkginstall.yml b/deploy_carvel/concierge-pkginstall.yml index c1d876c2..007f1f8f 100644 --- a/deploy_carvel/concierge-pkginstall.yml +++ b/deploy_carvel/concierge-pkginstall.yml @@ -10,7 +10,7 @@ spec: packageRef: refName: "concierge.pinniped.dev" versionSelection: - constraints: "0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7" + constraints: "0.0.0-F3326187-009A-4313-B188-1B454D1A7E04" values: - secretRef: name: "concierge-package-install-secret" @@ -29,4 +29,4 @@ stringData: log_level: debug image_repo: kind-registry.local:5000/test/build - image_tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 + image_tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 diff --git a/deploy_carvel/concierge/schema-openapi.yaml b/deploy_carvel/concierge/schema-openapi.yaml new file mode 100644 index 00000000..9f18a393 --- /dev/null +++ b/deploy_carvel/concierge/schema-openapi.yaml @@ -0,0 +1,155 @@ +openapi: 3.0.0 +info: + version: 0.1.0 + title: Schema for data values, generated by ytt +paths: {} +components: + schemas: + dataValues: + type: object + additionalProperties: false + properties: + app_name: + type: string + description: Name of pinniped-concierge. + default: pinniped-concierge + namespace: + type: string + description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace. + default: pinniped-concierge + into_namespace: + type: string + nullable: true + description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used. + default: null + custom_labels: + nullable: true + description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.' + default: {} + replicas: + type: integer + description: Specify how many replicas of the Pinniped server to run. + default: 2 + image_repo: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: projects.registry.vmware.com/pinniped/pinniped-server + image_digest: + type: string + nullable: true + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: null + image_tag: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: latest + kube_cert_agent_image: + type: string + nullable: true + description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used. + default: null + image_pull_dockerconfigjson: + type: object + additionalProperties: false + nullable: true + description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.' + properties: + auths: + type: object + additionalProperties: false + properties: + https://registry.example.com: + type: object + additionalProperties: false + properties: + username: + type: string + default: USERNAME + password: + type: string + default: PASSWORD + auth: + type: string + default: BASE64_ENCODED_USERNAME_COLON_PASSWORD + discovery_url: + type: string + nullable: true + description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden. + default: null + api_serving_certificate_duration_seconds: + type: integer + description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days. + default: 2592000 + api_serving_certificate_renew_before_seconds: + type: integer + description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days. + default: 2160000 + log_level: + type: string + nullable: true + description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. + default: null + deprecated_log_format: + type: string + nullable: true + description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.' + default: null + run_as_user: + type: integer + description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + run_as_group: + type: integer + description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + api_group_suffix: + type: string + description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc. + default: pinniped.dev + impersonation_proxy_spec: + type: object + additionalProperties: false + description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation. + properties: + mode: + type: string + description: If enabled, the impersonation proxy will always run regardless of other strategies available. + default: auto + external_endpoint: + type: string + nullable: true + description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint. + default: null + service: + type: object + additionalProperties: false + description: The impersonation proxy service configuration + properties: + type: + type: string + nullable: true + description: Options are 'LoadBalancer', 'ClusterIP' and 'None'. + default: null + annotations: + type: object + additionalProperties: false + nullable: true + description: The annotations that should be set on the ClusterIP or LoadBalancer Service. + properties: + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: + type: string + default: "4000" + load_balancer_ip: + type: string + nullable: true + description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP. + default: null + https_proxy: + type: string + nullable: true + description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional. + default: null + no_proxy: + type: string + description: do not proxy Kubernetes endpoints + default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local diff --git a/deploy_carvel/local-user-authenticator-pkginstall.yml b/deploy_carvel/local-user-authenticator-pkginstall.yml index 1c53a360..bc950c0a 100644 --- a/deploy_carvel/local-user-authenticator-pkginstall.yml +++ b/deploy_carvel/local-user-authenticator-pkginstall.yml @@ -10,7 +10,7 @@ spec: packageRef: refName: "local-user-authenticator.pinniped.dev" versionSelection: - constraints: "0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7" + constraints: "0.0.0-F3326187-009A-4313-B188-1B454D1A7E04" values: - secretRef: name: "local-user-authenticator-package-install-secret" @@ -23,10 +23,5 @@ metadata: stringData: values.yml: | --- - app_name: pinniped-concierge - namespace: concierge - api_group_suffix: pinniped.dev - log_level: debug - image_repo: kind-registry.local:5000/test/build - image_tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 + image_tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 diff --git a/deploy_carvel/local-user-authenticator/schema-openapi.yaml b/deploy_carvel/local-user-authenticator/schema-openapi.yaml new file mode 100644 index 00000000..6dfcff7f --- /dev/null +++ b/deploy_carvel/local-user-authenticator/schema-openapi.yaml @@ -0,0 +1,55 @@ +openapi: 3.0.0 +info: + version: 0.1.0 + title: Schema for data values, generated by ytt +paths: {} +components: + schemas: + dataValues: + type: object + additionalProperties: false + properties: + image_repo: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: projects.registry.vmware.com/pinniped/pinniped-server + image_digest: + type: string + nullable: true + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: null + image_tag: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: latest + image_pull_dockerconfigjson: + type: object + additionalProperties: false + nullable: true + description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.' + properties: + auths: + type: object + additionalProperties: false + properties: + https://registry.example.com: + type: object + additionalProperties: false + properties: + username: + type: string + default: USERNAME + password: + type: string + default: PASSWORD + auth: + type: string + default: BASE64_ENCODED_USERNAME_COLON_PASSWORD + run_as_user: + type: integer + description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + run_as_group: + type: integer + description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 diff --git a/deploy_carvel/package_repository/.imgpkg/images.yml b/deploy_carvel/package_repository/.imgpkg/images.yml index ada38a60..17bc6c5e 100644 --- a/deploy_carvel/package_repository/.imgpkg/images.yml +++ b/deploy_carvel/package_repository/.imgpkg/images.yml @@ -2,45 +2,24 @@ apiVersion: imgpkg.carvel.dev/v1alpha1 images: - annotations: - kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 + kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 kbld.carvel.dev/origins: | - resolved: - tag: 0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 - url: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 - image: kind-registry.local:5000/test/build/test/build-package-concierge@sha256:666682c02d09cef2d116152d4762e8af52c03bc133d06c91f8ea1ff2db605a90 + tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + url: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + image: kind-registry.local:5000/test/build/test/build-package-concierge@sha256:ffc8371ff94e939233af0643476a597c025adb5609cc35c5ded6bd67ce13fdec - annotations: - kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 + kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 kbld.carvel.dev/origins: | - resolved: - tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - url: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - image: kind-registry.local:5000/test/build/test/build-package-concierge@sha256:666682c02d09cef2d116152d4762e8af52c03bc133d06c91f8ea1ff2db605a90 + tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + url: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator@sha256:4f111f27ecf38622e4cbb29ce1d88589b488d8eb57d9b29cb577d64a417a2c4c - annotations: - kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 + kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 kbld.carvel.dev/origins: | - resolved: - tag: 0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 - url: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 - image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator@sha256:a094c2971a8a24c3ab34e0146cbb540d6277e853bbc8fd3efb6691b174bb5709 -- annotations: - kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - kbld.carvel.dev/origins: | - - resolved: - tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - url: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator@sha256:a094c2971a8a24c3ab34e0146cbb540d6277e853bbc8fd3efb6691b174bb5709 -- annotations: - kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 - kbld.carvel.dev/origins: | - - resolved: - tag: 0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 - url: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-84D55AC3-B367-41A3-B17B-E11B10443CC8 - image: kind-registry.local:5000/test/build/test/build-package-supervisor@sha256:28488e1c9bbf8988c9a9f70ae6478188b6ebe01522fe45029940ed21a2cf221f -- annotations: - kbld.carvel.dev/id: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - kbld.carvel.dev/origins: | - - resolved: - tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - url: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 - image: kind-registry.local:5000/test/build/test/build-package-supervisor@sha256:28488e1c9bbf8988c9a9f70ae6478188b6ebe01522fe45029940ed21a2cf221f + tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + url: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + image: kind-registry.local:5000/test/build/test/build-package-supervisor@sha256:f3ceb23f0202c83955f4ad1a7836325340da25ebb6d2e14f02a66e915b4e09f5 kind: ImagesLock diff --git a/deploy_carvel/package_repository/packages/concierge.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml b/deploy_carvel/package_repository/packages/concierge.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml new file mode 100644 index 00000000..05f9351b --- /dev/null +++ b/deploy_carvel/package_repository/packages/concierge.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml @@ -0,0 +1,173 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + name: concierge.pinniped.dev.0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 +spec: + refName: concierge.pinniped.dev + version: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + releaseNotes: | + Initial release of the pinniped concierge package, TODO: AUTOMATE THIS?? + valuesSchema: + openAPIv3: + type: object + additionalProperties: false + properties: + app_name: + type: string + description: Name of pinniped-concierge. + default: pinniped-concierge + namespace: + type: string + description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace. + default: pinniped-concierge + into_namespace: + type: string + nullable: true + description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used. + default: null + custom_labels: + nullable: true + description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.' + default: null + replicas: + type: integer + description: Specify how many replicas of the Pinniped server to run. + default: 2 + image_repo: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: projects.registry.vmware.com/pinniped/pinniped-server + image_digest: + type: string + nullable: true + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: null + image_tag: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: latest + kube_cert_agent_image: + type: string + nullable: true + description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used. + default: null + image_pull_dockerconfigjson: + type: object + additionalProperties: false + nullable: true + description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.' + properties: + auths: + type: object + additionalProperties: false + properties: + https://registry.example.com: + type: object + additionalProperties: false + properties: + username: + type: string + default: USERNAME + password: + type: string + default: PASSWORD + auth: + type: string + default: BASE64_ENCODED_USERNAME_COLON_PASSWORD + discovery_url: + type: string + nullable: true + description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden. + default: null + api_serving_certificate_duration_seconds: + type: integer + description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days. + default: 2592000 + api_serving_certificate_renew_before_seconds: + type: integer + description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days. + default: 2160000 + log_level: + type: string + nullable: true + description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. + default: null + deprecated_log_format: + type: string + nullable: true + description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.' + default: null + run_as_user: + type: integer + description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + run_as_group: + type: integer + description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + api_group_suffix: + type: string + description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc. + default: pinniped.dev + impersonation_proxy_spec: + type: object + additionalProperties: false + description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation. + properties: + mode: + type: string + description: If enabled, the impersonation proxy will always run regardless of other strategies available. + default: auto + external_endpoint: + type: string + nullable: true + description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint. + default: null + service: + type: object + additionalProperties: false + description: The impersonation proxy service configuration + properties: + type: + type: string + nullable: true + description: Options are 'LoadBalancer', 'ClusterIP' and 'None'. + default: null + annotations: + type: object + additionalProperties: false + nullable: true + description: The annotations that should be set on the ClusterIP or LoadBalancer Service. + properties: + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: + type: string + default: "4000" + load_balancer_ip: + type: string + nullable: true + description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP. + default: null + https_proxy: + type: string + nullable: true + description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional. + default: null + no_proxy: + type: string + description: do not proxy Kubernetes endpoints + default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local + template: + spec: + fetch: + - imgpkgBundle: + image: kind-registry.local:5000/test/build/test/build-package-concierge:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + template: + - ytt: + paths: + - config/ + - kbld: + paths: + - .imgpkg/images.yml + - '-' + deploy: + - kapp: {} diff --git a/deploy_carvel/package_repository/packages/local-user-authenticator.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml b/deploy_carvel/package_repository/packages/local-user-authenticator.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml new file mode 100644 index 00000000..e00acc0f --- /dev/null +++ b/deploy_carvel/package_repository/packages/local-user-authenticator.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml @@ -0,0 +1,73 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + name: local-user-authenticator.pinniped.dev.0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 +spec: + refName: local-user-authenticator.pinniped.dev + version: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + releaseNotes: | + Initial release of the local-user-authenticator package, TODO: AUTOMATE THIS?? + valuesSchema: + openAPIv3: + type: object + additionalProperties: false + properties: + image_repo: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: projects.registry.vmware.com/pinniped/pinniped-server + image_digest: + type: string + nullable: true + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: null + image_tag: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: latest + image_pull_dockerconfigjson: + type: object + additionalProperties: false + nullable: true + description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.' + properties: + auths: + type: object + additionalProperties: false + properties: + https://registry.example.com: + type: object + additionalProperties: false + properties: + username: + type: string + default: USERNAME + password: + type: string + default: PASSWORD + auth: + type: string + default: BASE64_ENCODED_USERNAME_COLON_PASSWORD + run_as_user: + type: integer + description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + run_as_group: + type: integer + description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + template: + spec: + fetch: + - imgpkgBundle: + image: kind-registry.local:5000/test/build/test/build-package-local-user-authenticator:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + template: + - ytt: + paths: + - config/ + - kbld: + paths: + - .imgpkg/images.yml + - '-' + deploy: + - kapp: {} diff --git a/deploy_carvel/package_repository/packages/supervisor.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml b/deploy_carvel/package_repository/packages/supervisor.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml new file mode 100644 index 00000000..6ae8c717 --- /dev/null +++ b/deploy_carvel/package_repository/packages/supervisor.pinniped.dev/0.0.0-F3326187-009A-4313-B188-1B454D1A7E04.yml @@ -0,0 +1,182 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + name: supervisor.pinniped.dev.0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 +spec: + refName: supervisor.pinniped.dev + version: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + releaseNotes: | + Initial release of the pinniped supervisor package, TODO: AUTOMATE THIS?? + valuesSchema: + openAPIv3: + type: object + additionalProperties: false + properties: + app_name: + type: string + description: Name of pinniped-supervisor. + default: pinniped-supervisor + namespace: + type: string + description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace. + default: pinniped-supervisor + into_namespace: + type: string + nullable: true + description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used. + default: null + custom_labels: + nullable: true + description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.' + default: null + replicas: + type: integer + description: Specify how many replicas of the Pinniped server to run. + default: 2 + image_repo: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: projects.registry.vmware.com/pinniped/pinniped-server + image_digest: + type: string + nullable: true + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: null + image_tag: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: latest + image_pull_dockerconfigjson: + type: object + additionalProperties: false + nullable: true + description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.' + properties: + auths: + type: object + additionalProperties: false + properties: + https://registry.example.com: + type: object + additionalProperties: false + properties: + username: + type: string + default: USERNAME + password: + type: string + default: PASSWORD + auth: + type: string + default: BASE64_ENCODED_USERNAME_COLON_PASSWORD + deprecated_service_http_nodeport_port: + type: integer + nullable: true + description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort` + default: null + deprecated_service_http_nodeport_nodeport: + type: integer + nullable: true + description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified + default: null + deprecated_service_http_loadbalancer_port: + type: integer + nullable: true + description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort` + default: null + deprecated_service_http_clusterip_port: + type: integer + nullable: true + description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`' + default: null + service_https_nodeport_port: + type: integer + nullable: true + description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`' + default: null + service_https_nodeport_nodeport: + type: integer + nullable: true + description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified' + default: null + service_https_loadbalancer_port: + type: integer + nullable: true + description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`' + default: null + service_https_clusterip_port: + type: integer + nullable: true + description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`' + default: null + service_loadbalancer_ip: + type: string + nullable: true + description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided. + default: null + log_level: + type: string + nullable: true + description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. + default: null + deprecated_log_format: + type: string + nullable: true + description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.' + default: null + run_as_user: + type: integer + description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + run_as_group: + type: integer + description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + api_group_suffix: + type: string + description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc. + default: pinniped.dev + https_proxy: + type: string + nullable: true + description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional. + default: null + no_proxy: + type: string + description: do not proxy Kubernetes endpoints + default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local + endpoints: + type: object + additionalProperties: false + nullable: true + description: Control the HTTP and HTTPS listeners of the Supervisor. + properties: + https: + type: object + additionalProperties: false + properties: + network: + type: string + default: tcp + address: + type: string + default: 1.2.3.4:5678 + deprecated_insecure_accept_external_unencrypted_http_requests: + type: boolean + description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional. + default: false + template: + spec: + fetch: + - imgpkgBundle: + image: kind-registry.local:5000/test/build/test/build-package-supervisor:0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 + template: + - ytt: + paths: + - config/ + - kbld: + paths: + - .imgpkg/images.yml + - '-' + deploy: + - kapp: {} diff --git a/deploy_carvel/supervisor-pkginstall.yml b/deploy_carvel/supervisor-pkginstall.yml index b166fce3..86caeebe 100644 --- a/deploy_carvel/supervisor-pkginstall.yml +++ b/deploy_carvel/supervisor-pkginstall.yml @@ -10,7 +10,7 @@ spec: packageRef: refName: "supervisor.pinniped.dev" versionSelection: - constraints: "0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7" + constraints: "0.0.0-F3326187-009A-4313-B188-1B454D1A7E04" values: - secretRef: name: "supervisor-package-install-secret" @@ -27,7 +27,7 @@ stringData: namespace: supervisor api_group_suffix: pinniped.dev image_repo: kind-registry.local:5000/test/build - image_tag: 0.0.0-EEE84AC0-DE44-425C-8785-4C6DD92307F7 + image_tag: 0.0.0-F3326187-009A-4313-B188-1B454D1A7E04 log_level: debug service_https_nodeport_port: 443 diff --git a/deploy_carvel/supervisor/schema-openapi.yaml b/deploy_carvel/supervisor/schema-openapi.yaml new file mode 100644 index 00000000..0e0903fa --- /dev/null +++ b/deploy_carvel/supervisor/schema-openapi.yaml @@ -0,0 +1,164 @@ +openapi: 3.0.0 +info: + version: 0.1.0 + title: Schema for data values, generated by ytt +paths: {} +components: + schemas: + dataValues: + type: object + additionalProperties: false + properties: + app_name: + type: string + description: Name of pinniped-supervisor. + default: pinniped-supervisor + namespace: + type: string + description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace. + default: pinniped-supervisor + into_namespace: + type: string + nullable: true + description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used. + default: null + custom_labels: + nullable: true + description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.' + default: {} + replicas: + type: integer + description: Specify how many replicas of the Pinniped server to run. + default: 2 + image_repo: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: projects.registry.vmware.com/pinniped/pinniped-server + image_digest: + type: string + nullable: true + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: null + image_tag: + type: string + description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used. + default: latest + image_pull_dockerconfigjson: + type: object + additionalProperties: false + nullable: true + description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.' + properties: + auths: + type: object + additionalProperties: false + properties: + https://registry.example.com: + type: object + additionalProperties: false + properties: + username: + type: string + default: USERNAME + password: + type: string + default: PASSWORD + auth: + type: string + default: BASE64_ENCODED_USERNAME_COLON_PASSWORD + deprecated_service_http_nodeport_port: + type: integer + nullable: true + description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort` + default: null + deprecated_service_http_nodeport_nodeport: + type: integer + nullable: true + description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified + default: null + deprecated_service_http_loadbalancer_port: + type: integer + nullable: true + description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort` + default: null + deprecated_service_http_clusterip_port: + type: integer + nullable: true + description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`' + default: null + service_https_nodeport_port: + type: integer + nullable: true + description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`' + default: null + service_https_nodeport_nodeport: + type: integer + nullable: true + description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified' + default: null + service_https_loadbalancer_port: + type: integer + nullable: true + description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`' + default: null + service_https_clusterip_port: + type: integer + nullable: true + description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`' + default: null + service_loadbalancer_ip: + type: string + nullable: true + description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided. + default: null + log_level: + type: string + nullable: true + description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. + default: null + deprecated_log_format: + type: string + nullable: true + description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.' + default: null + run_as_user: + type: integer + description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + run_as_group: + type: integer + description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice + default: 65532 + api_group_suffix: + type: string + description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc. + default: pinniped.dev + https_proxy: + type: string + nullable: true + description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional. + default: null + no_proxy: + type: string + description: do not proxy Kubernetes endpoints + default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local + endpoints: + type: object + additionalProperties: false + nullable: true + description: Control the HTTP and HTTPS listeners of the Supervisor. + properties: + https: + type: object + additionalProperties: false + properties: + network: + type: string + default: tcp + address: + type: string + default: 1.2.3.4:5678 + deprecated_insecure_accept_external_unencrypted_http_requests: + type: boolean + description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional. + default: false diff --git a/hack/build-carvel-packages.sh b/hack/build-carvel-packages.sh index acda6b24..da493580 100755 --- a/hack/build-carvel-packages.sh +++ b/hack/build-carvel-packages.sh @@ -80,7 +80,7 @@ kapp deploy --app kapp-controller --file "https://github.com/vmware-tanzu/carvel kubectl get customresourcedefinitions # Generate the OpenAPI v3 Schema files, imgpkg images.yml files -declare -a arr=("supervisor" "concierge" "local-user-authenticator") +declare -a arr=("local-user-authenticator" "concierge" "supervisor") for resource_name in "${arr[@]}" do resource_qualified_name="${resource_name}.${api_group_suffix}" @@ -88,11 +88,12 @@ do resource_dir="deploy_carvel/${resource_name}" resource_config_source_dir="deploy/${resource_name}" - resource_config_destination_dir="deploy_carvel/${resource_name}/config" + resource_destination_dir="deploy_carvel/${resource_name}" + resource_config_destination_dir="${resource_destination_dir}/config" # these must be real files, not symlinks log_note "Vendir sync deploy directory for ${resource_name} to package bundle..." - pushd "${resource_config_destination_dir}" > /dev/null + pushd "${resource_destination_dir}" > /dev/null vendir sync popd > /dev/null @@ -122,6 +123,9 @@ do # TODO: what is package_image_repo? # TODO: package_version should just become version, no need for it to not match. package_repository_dir="deploy_carvel/package_repository/packages/${resource_qualified_name}" + rm -rf "${package_repository_dir}" + mkdir "${package_repository_dir}" + ytt \ --file "${resource_dir}/package-template.yml" \ --data-value-file openapi="${resource_dir}/schema-openapi.yml" \ @@ -130,6 +134,7 @@ do cp "deploy_carvel/${resource_name}/metadata.yml" "${package_repository_dir}/metadata.yml" done + log_note "Generating .imgpkg/images.yml for Pinniped PackageRepository bundle..." mkdir -p "deploy_carvel/package_repository/.imgpkg" kbld --file "deploy_carvel/package_repository/packages/" --imgpkg-lock-output "deploy_carvel/package_repository/.imgpkg/images.yml" @@ -142,9 +147,13 @@ log_note "Validating Pinniped PackageRepository bundle not empty /tmp/${package_ imgpkg pull --bundle "${package_repository_repo_tag}" --output "/tmp/${package_repository_repo_tag}" + +## NOTE: could break apart here at a build and a deploy script. + + log_note "deploying PackageRepository..." pinniped_package_repository_name="pinniped-package-repository" -pinniped_package_repository_file="packagerepository.${pinniped_package_version}.yml" +pinniped_package_repository_file="packagerepository.${pinniped_package_version}.yml" # TODO: deploy_carvel/ dir... echo -n "" > "${pinniped_package_repository_file}" cat <> "${pinniped_package_repository_file}" --- @@ -163,7 +172,6 @@ kapp deploy --app "${pinniped_package_repository_name}" --file "${pinniped_packa kapp inspect --app "${pinniped_package_repository_name}" --tree - for resource_name in "${arr[@]}" do log_note "creating PackageInstall and RBAC for ${resource_name}..." @@ -213,8 +221,123 @@ EOF kapp deploy --app "${pinniped_package_rbac_prefix}" --file "${pinniped_package_rbac_file}" -y done +# start local-user-authenticator +# local-user-authenticator +log_note "deploying local-user-authenticator PackageInstall resources..." +resource_name="local-user-authenticator" +NAMESPACE="${resource_name}-install-ns" +PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}" +RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev" +PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml" +SECRET_NAME="${resource_name}-package-install-secret" + +cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF +--- +apiVersion: packaging.carvel.dev/v1alpha1 +kind: PackageInstall +metadata: + # name, does not have to be versioned, versionSelection.constraints below will handle + name: "${resource_name}-package-install" + namespace: "${NAMESPACE}" +spec: + serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous" + packageRef: + refName: "${RESOURCE_PACKAGE_VERSION}" + versionSelection: + constraints: "${pinniped_package_version}" + values: + - secretRef: + name: "${SECRET_NAME}" +--- +apiVersion: v1 +kind: Secret +metadata: + name: "${SECRET_NAME}" + namespace: "${NAMESPACE}" +stringData: + values.yml: | + --- + image_repo: $registry_repo + image_tag: $tag +EOF + +KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall" +log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..." +kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y + +test_username="test-username" +test_groups="test-group-0,test-group-1" +test_password="$(openssl rand -hex 16)" +log_note "Creating test user '$test_username'..." +kubectl create secret generic "$test_username" \ + --namespace local-user-authenticator \ + --from-literal=groups="$test_groups" \ + --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \ + --dry-run=client \ + --output yaml | + kubectl apply -f - +# end local-user-authenticator +# start concierge +log_note "deploying concierge PackageInstall resources..." +resource_name="concierge" +NAMESPACE="${resource_name}-install-ns" +PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}" +RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev" +PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml" +SECRET_NAME="${resource_name}-package-install-secret" + +# from prepare-for-integration-tests.sh +concierge_app_name="pinniped-concierge" +concierge_namespace="concierge" +webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" +webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" +discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')" +concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}" +log_level="debug" +cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF +--- +apiVersion: packaging.carvel.dev/v1alpha1 +kind: PackageInstall +metadata: + # name, does not have to be versioned, versionSelection.constraints below will handle + name: "${resource_name}-package-install" + namespace: "${NAMESPACE}" +spec: + serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous" + packageRef: + refName: "${RESOURCE_PACKAGE_VERSION}" + versionSelection: + constraints: "${pinniped_package_version}" + values: + - secretRef: + name: "${SECRET_NAME}" +--- +apiVersion: v1 +kind: Secret +metadata: + name: "${SECRET_NAME}" + namespace: "${NAMESPACE}" +stringData: + values.yml: | + --- + app_name: $concierge_app_name + namespace: $concierge_namespace + api_group_suffix: $api_group_suffix + log_level: $log_level + + image_repo: $registry_repo + image_tag: $tag +EOF + +KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall" +log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..." +kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y +# end concierge + + +# start supervisor log_note "deploying supervisor PackageInstall resources..." resource_name="supervisor" NAMESPACE="${resource_name}-install-ns" @@ -275,124 +398,23 @@ kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_N # end supervisor +log_note "appending environment variables to /tmp/integration-test-env" +# TODO: since I pulled these out of the main script, I'll have to put them back as well. +# To be "finished" the scripts need to work for both the ytt deploy and the carvel package, +# regardless of which branch the user takes. +integration_env_file="/tmp/integration-test-env" +integration_env_file_text=$(cat "${integration_env_file}") -# concierge -log_note "deploying concierge PackageInstall resources..." -resource_name="concierge" -NAMESPACE="${resource_name}-install-ns" -PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}" -RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev" -PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml" -SECRET_NAME="${resource_name}-package-install-secret" - -# from prepare-for-integration-tests.sh -concierge_app_name="pinniped-concierge" -concierge_namespace="concierge" -webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" -webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" -discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')" -concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}" -log_level="debug" -cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF ---- -apiVersion: packaging.carvel.dev/v1alpha1 -kind: PackageInstall -metadata: - # name, does not have to be versioned, versionSelection.constraints below will handle - name: "${resource_name}-package-install" - namespace: "${NAMESPACE}" -spec: - serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous" - packageRef: - refName: "${RESOURCE_PACKAGE_VERSION}" - versionSelection: - constraints: "${pinniped_package_version}" - values: - - secretRef: - name: "${SECRET_NAME}" ---- -apiVersion: v1 -kind: Secret -metadata: - name: "${SECRET_NAME}" - namespace: "${NAMESPACE}" -stringData: - values.yml: | - --- - app_name: $concierge_app_name - namespace: $concierge_namespace - api_group_suffix: $api_group_suffix - log_level: $log_level - - image_repo: $registry_repo - image_tag: $tag -EOF - -KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall" -log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..." -kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y -# end concierge +cat <"${integration_env_file}" +export PINNIPED_TEST_USER_USERNAME=${test_username} +export PINNIPED_TEST_USER_GROUPS=${test_groups} +export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} +export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle} +EOT +echo "${integration_env_file_text}" >> "${integration_env_file}" - -# local-user-authenticator -log_note "deploying local-user-authenticator PackageInstall resources..." -resource_name="local-user-authenticator" -NAMESPACE="${resource_name}-install-ns" -PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}" -RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev" -PACKAGE_INSTALL_FILE_NAME="deploy_carvel/${resource_name}-pkginstall.yml" -SECRET_NAME="${resource_name}-package-install-secret" - -# from prepare-for-integration-tests.sh -concierge_app_name="pinniped-concierge" -concierge_namespace="concierge" -webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" -webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" -discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')" -concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}" -log_level="debug" -cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF ---- -apiVersion: packaging.carvel.dev/v1alpha1 -kind: PackageInstall -metadata: - # name, does not have to be versioned, versionSelection.constraints below will handle - name: "${resource_name}-package-install" - namespace: "${NAMESPACE}" -spec: - serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous" - packageRef: - refName: "${RESOURCE_PACKAGE_VERSION}" - versionSelection: - constraints: "${pinniped_package_version}" - values: - - secretRef: - name: "${SECRET_NAME}" ---- -apiVersion: v1 -kind: Secret -metadata: - name: "${SECRET_NAME}" - namespace: "${NAMESPACE}" -stringData: - values.yml: | - --- - app_name: $concierge_app_name - namespace: $concierge_namespace - api_group_suffix: $api_group_suffix - log_level: $log_level - - image_repo: $registry_repo - image_tag: $tag -EOF - -KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall" -log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..." -kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y -# end concierge - log_note "verifying PackageInstall resources..." kubectl get PackageInstall -A | grep pinniped kubectl get secret -A | grep pinniped diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index 5c959c52..15cef6f6 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -378,12 +378,15 @@ manifest=/tmp/pinniped-concierge.yaml concierge_app_name="pinniped-concierge" concierge_namespace="concierge" webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" -webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" +webhook_ca_bundle="undefined" # TODO: need to fix this later discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')" concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}" log_level="debug" if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_concierge" != "undefined" ] ; then + # TODO: this is typically needed to export below.... + # our deploy_carvel script may need to append this to the same file. + webhook_ca_bundle="(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" if [ "$alternate_deploy" != "undefined" ]; then log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag..." $alternate_deploy pinniped-concierge $tag @@ -410,15 +413,6 @@ else popd >/dev/null fi -# -# Call a post-install script -# simplifies passing the $tag which may be necessary if the current local build is to be -# referenced, for example, deploying via a Carvel package rather than our ytt mechanism -if [ "$post_install" != "undefined" ] ; then - log_note "The post-install script will be called with $tag..." - $post_install post-install-script $tag -fi - # # Download the test CA bundle that was generated in the Dex pod. # Note that this returns a base64 encoded value. @@ -435,15 +429,16 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml" pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file") +# TODO: fix this later +# export PINNIPED_TEST_USER_USERNAME=${test_username} +# export PINNIPED_TEST_USER_GROUPS=${test_groups} +# export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} cat </tmp/integration-test-env # The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration' export PINNIPED_TEST_TOOLS_NAMESPACE="tools" export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace} export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name} export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='${concierge_custom_labels}' -export PINNIPED_TEST_USER_USERNAME=${test_username} -export PINNIPED_TEST_USER_GROUPS=${test_groups} -export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url} export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle} export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace} @@ -507,6 +502,18 @@ PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML EOF + +# +# Call a post-install script +# simplifies passing the $tag which may be necessary if the current local build is to be +# referenced, for example, deploying via a Carvel package rather than our ytt mechanism +# running it after the above also allows appending to the environment variable file +if [ "$post_install" != "undefined" ] ; then + log_note "The post-install script will be called with $tag..." + $post_install post-install-script $tag +fi + + # # Print instructions for next steps. #