Compare commits

...

40 Commits

Author SHA1 Message Date
Benjamin A. Petersen
d5565af1d3
Carvel package readme updates 2023-10-20 14:49:16 -04:00
Benjamin A. Petersen
8dfac21eb8
Add PINNIPED_USE_LOCAL_KIND_REGISTRY env var
- ensures regular use of hack/prepare-for-integration-tests.sh
  - PINNIPED_USE_LOCAL_KIND_REGISTRY=1  ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh
  - ./hack/prepare-for-integration-tests.sh --clean
2023-10-20 12:36:26 -04:00
Benjamin A. Petersen
0352717153
Adjust /etc/hosts message for local registry (if line not found) 2023-10-19 15:28:14 -04:00
Benjamin A. Petersen
d803b7c3d4
simplify env vars again, create one well known /tmp/integration-test-env file again 2023-10-19 15:28:08 -04:00
Benjamin A. Petersen
050750d682
Add TODO for /etc/hosts 2023-10-16 14:12:10 -04:00
Benjamin A. Petersen
106edd4868
Add comments to build files 2023-10-12 16:58:43 -04:00
Benjamin A. Petersen
86a25246dd
Tweak hack scripts for carvel package usage 2023-10-12 13:31:50 -04:00
Benjamin A. Petersen
4bbd6312c5
Update hack scripts to support fresh /tmp/pinniped-XXX env files on every run 2023-10-12 11:24:19 -04:00
Benjamin A. Petersen
ac42b725fb
escapes in values.yaml for complex examples 2023-10-12 11:24:19 -04:00
Benjamin A. Petersen
8e430c8e77
remove dead code 2023-10-11 17:09:46 -04:00
Benjamin A. Petersen
dc4948f570
values.yaml: make consistent comment between supervisor & concierge 2023-10-11 17:09:18 -04:00
Benjamin A. Petersen
b091b41b8d
todo: test user changes need to be addressed 2023-10-11 16:07:25 -04:00
Benjamin A. Petersen
5bcff5a651
update schema from values.yml schema change 2023-10-11 16:06:59 -04:00
Benjamin A. Petersen
8fda51850b
deploy/{}/values.yml image_pull_dockerconfigjson type change to base64 string 2023-10-11 16:05:53 -04:00
Benjamin A. Petersen
1a143f9720
adjust variables in hack/prepare-for-integration-tests.sh 2023-10-11 12:49:47 -04:00
Benjamin A. Petersen
b6afd56716
remove old install artifacts 2023-10-11 12:49:18 -04:00
Benjamin A. Petersen
9ec2cf6bcd
improve cleanup of carvel package artifacts 2023-10-11 12:28:41 -04:00
Benjamin A. Petersen
f2b5d568d9
improve cleanup of carvel package artifacts 2023-10-11 12:09:04 -04:00
Benjamin A. Petersen
f521917b5e
adjust were to call post-install script 2023-10-10 17:22:37 -04:00
Benjamin A. Petersen
4b5e869a5e
webhook_ca_bundle moved in hack script 2023-10-10 16:25:37 -04:00
Benjamin A. Petersen
761e323777
ignore images.yml and pkginstall.yml files (specific SHAs) 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
231870582e
cleanup local registry in kind-down.sh 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
740463bba7
add vars back to prepare-for-integration-tests script 2023-10-10 16:25:36 -04:00
Joshua Casey
eeb08d52b7
Don't add 0.0.0 files to the git repository 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
e6707ca448
Adjust outputs from build-carvel-package, remove old files 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
cb6d299156
Fix prepare-for-integration-tests.sh with carvel packages 2023-10-10 16:25:36 -04:00
Joshua Casey
de1bbde2cc
Use vendir sync instead of cp to sync the deploy manifests 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
0f0d9927c0
WIP: carvel package-repository & package files, package-install in scripts 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
530ce433ac
add --post-install to hack/prepare-for-integration-tests.sh 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
ff09b61364
generate .imgpkg/images.yml files for carvel packages 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
1f281a7d7e
custom_labels should not be nullable 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
7950dc4cdb
Add hack script to build openapi-v3 files 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
97d8688753
Add local-user-authenticator carvel package files 2023-10-10 16:25:34 -04:00
Benjamin A. Petersen
b4e8b6c051
Add concierge carvel package files 2023-10-10 16:25:34 -04:00
Benjamin A. Petersen
538f6b5b3f
Add supervisor carvel package files 2023-10-10 16:25:34 -04:00
Benjamin A. Petersen
6d13de173b
Add ytt openapi-v3 generation to build carvel package script 2023-10-10 16:25:34 -04:00
Benjamin A. Petersen
5e798f2af4
Update values.yaml for local-user-authenticator to schema file 2023-10-10 16:25:34 -04:00
Benjamin A. Petersen
44356b0db3
Add deploy_carvel dir with symlink to deploy/{supervisor,concierge} 2023-10-10 16:25:34 -04:00
Benjamin A. Petersen
b4f64443db
Update values.yaml for supervisor,concierge to schema files 2023-10-10 16:23:59 -04:00
Benjamin A. Petersen
0ce54bb2f3
add kind-registry.local:5000 to kind cluster
- update kind config to include local registry
- configure kind cluster to talk to local registry
- docker build & push pinniped dev code to local registry
- deploy dev code of the following via the local registry:
  - concierge
  - supervisor
  - local-user-authenticator
2023-10-10 16:23:59 -04:00
48 changed files with 2005 additions and 161 deletions

View File

@ -1,75 +1,97 @@
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@data/values
#@data/values-schema
---
#@schema/desc "Name of pinniped-concierge."
app_name: pinniped-concierge
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
namespace: pinniped-concierge
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
into_namespace: #! e.g. my-preexisting-namespace
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
#@schema/desc into_namespace_desc
#@schema/nullable
into_namespace: my-preexisting-namespace
#! All resources created statically by yaml at install-time and all resources created dynamically
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
#! specified here. The value of `custom_labels` must be a map of string keys to string values.
#! The app can be uninstalled either by:
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
#! resources that were dynamically created by controllers at runtime
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
#@ The app can be uninstalled either by: \
#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
#@ resources that were dynamically created by controllers at runtime \
#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
#@schema/desc custom_labels_desc
#@schema/type any=True
custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
#! Specify how many replicas of the Pinniped server to run.
#@schema/desc "Specify how many replicas of the Pinniped server to run."
replicas: 2
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
#@schema/nullable
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
image_tag: latest
#! Optionally specify a different image for the "kube-cert-agent" pod which is scheduled
#! on the control plane. This image needs only to include `sleep` and `cat` binaries.
#! By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
kube_cert_agent_image:
#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
#@schema/desc kube_cert_agent_image
#@schema/nullable
kube_cert_agent_image: projects.registry.vmware.com/pinniped/pinniped-server
#! Specifies a secret to be used when pulling the above `image_repo` container image.
#! Can be used when the above image_repo is a private registry.
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
#! Optional.
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
#@ Can be used when the above image_repo is a private registry. \
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=\"USERNAME\" --docker-password=\"PASSWORD\" --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]' \
#@ Optional."
#! base64 encoded: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
#! result: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==
#@schema/desc image_pull_dockerconfigjson_desc
#@schema/nullable
image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
#! This setting allows the guess to be overridden.
#! Optional.
discovery_url: #! e.g., https://example.com
#@schema/desc "Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden."
#@schema/nullable
discovery_url: https://example.com
#! Specify the duration and renewal interval for the API serving certificate.
#! The defaults are set to expire the cert about every 30 days, and to rotate it
#! about every 25 days.
#@ api_serving_certificate_desc = "Specify the duration and renewal interval for the API serving certificate. \
#@ The defaults are set to expire the cert about every 30 days, and to rotate it \
#@ about every 25 days."
#@schema/desc api_serving_certificate_desc
api_serving_certificate_duration_seconds: 2592000
#@schema/desc api_serving_certificate_desc
api_serving_certificate_renew_before_seconds: 2160000
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer
#! information), trace (timing information), all (kitchen sink).
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
#! By default, when this value is left unset, logs are formatted in json.
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
deprecated_log_format:
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
#@schema/nullable
log_level: info
#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
#@ By default, when this value is left unset, logs are formatted in json. \
#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
#@schema/desc deprecated_log_format_desc
#@schema/nullable
deprecated_log_format: json
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_user: 65532
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_group: 65532
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
#@schema/desc api_group_suffix_desc
api_group_suffix: pinniped.dev
#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge
#! handles impersonation.
#@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
impersonation_proxy_spec:
#! options are "auto", "disabled" or "enabled".
#! If auto, the impersonation proxy will run only if the cluster signing key is not available
@ -77,11 +99,14 @@ impersonation_proxy_spec:
#! If disabled, the impersonation proxy will never run, which could mean that the concierge
#! doesn't work at all.
#! If enabled, the impersonation proxy will always run regardless of other strategies available.
#@schema/desc "If enabled, the impersonation proxy will always run regardless of other strategies available."
mode: auto
#! The endpoint which the client should use to connect to the impersonation proxy.
#! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer
#! endpoint.
external_endpoint:
#@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \
#@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint."
#@schema/desc external_endpoint_desc
#@schema/nullable
external_endpoint: 1.2.3.4:5678
#@schema/desc "The impersonation proxy service configuration"
service:
#! Options are "LoadBalancer", "ClusterIP" and "None".
#! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
@ -91,17 +116,24 @@ impersonation_proxy_spec:
#! impersonation proxy.
#! None does not provision either and assumes that you have set the external_endpoint
#! and set up your own ingress to connect to the impersonation proxy.
#@schema/desc "Options are 'LoadBalancer', 'ClusterIP' and 'None'."
#@schema/nullable
type: LoadBalancer
#! The annotations that should be set on the ClusterIP or LoadBalancer Service.
#@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service."
#@schema/nullable
annotations:
{service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
#! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
load_balancer_ip:
#@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP."
#@schema/nullable
load_balancer_ip: 1.2.3.4:5678
#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers.
#! These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS,
#! e.g. when the Concierge fetches discovery documents, JWKS keys, and POSTs to token webhooks.
#! The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
#! Optional.
https_proxy: #! e.g. http://proxy.example.com
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
#@ Optional."
#@schema/desc https_proxy_desc
#@schema/nullable
https_proxy: http://proxy.example.com
#@schema/desc "do not proxy Kubernetes endpoints"
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints

View File

@ -1,19 +1,26 @@
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@data/values
#@data/values-schema
---
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
#@schema/nullable
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
image_tag: latest
#! Specifies a secret to be used when pulling the above `image_repo` container image.
#! Can be used when the above image_repo is a private registry.
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
#! Optional.
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
#@ Can be used when the above image_repo is a private registry. \
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data['.dockerconfigjson']' \
#@ Optional."
#@schema/desc image_pull_dockerconfigjson_desc
#@schema/nullable
image_pull_dockerconfigjson: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_user: 65532
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_group: 65532

View File

@ -1,39 +1,50 @@
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@data/values
#@data/values-schema
---
#@schema/desc "Name of pinniped-supervisor."
app_name: pinniped-supervisor
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
namespace: pinniped-supervisor
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
into_namespace: #! e.g. my-preexisting-namespace
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
#@schema/desc into_namespace_desc
#@schema/nullable
into_namespace: my-preexisting-namespace
#! All resources created statically by yaml at install-time and all resources created dynamically
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
#! specified here. The value of `custom_labels` must be a map of string keys to string values.
#! The app can be uninstalled either by:
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
#! resources that were dynamically created by controllers at runtime
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
#@ The app can be uninstalled either by: \
#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
#@ resources that were dynamically created by controllers at runtime \
#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
#@schema/desc custom_labels_desc
#@schema/type any=True
custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
#! Specify how many replicas of the Pinniped server to run.
#@schema/desc "Specify how many replicas of the Pinniped server to run."
replicas: 2
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
#@schema/nullable
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
image_tag: latest
#! Specifies a secret to be used when pulling the above `image_repo` container image.
#! Can be used when the above image_repo is a private registry.
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
#! Optional.
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
#@ Can be used when the above image_repo is a private registry. \
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=\"USERNAME\" --docker-password=\"PASSWORD\" --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]' \
#@ Optional."
#! base64 encoded: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
#! result: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==
#@schema/desc image_pull_dockerconfigjson_desc
#@schema/nullable
image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
#! Typically, you would set a value for only one of the following service types.
@ -41,43 +52,70 @@ image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
#! The `loadBalancerIP` value of the LoadBalancer Service.
#! Ignored unless service_https_loadbalancer_port is provided.
#! Optional.
service_loadbalancer_ip: #! e.g. 1.2.3.4
#@schema/desc "will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`"
#@schema/nullable
deprecated_service_http_nodeport_port: 31234
#@schema/desc "will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified"
#@schema/nullable
deprecated_service_http_nodeport_nodeport: 31234
#@schema/desc "will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
#@schema/nullable
deprecated_service_http_loadbalancer_port: 8443
#@schema/desc "#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
#@schema/nullable
deprecated_service_http_clusterip_port: 8443
#@schema/desc "#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/nullable
service_https_nodeport_port: 31243
#@schema/desc "#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
#@schema/nullable
service_https_nodeport_nodeport: 31243
#@schema/desc "#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/nullable
service_https_loadbalancer_port: 8443
#@schema/desc "#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/nullable
service_https_clusterip_port: 8443
#@ service_loadbalancer_ip_desc="The `loadBalancerIP` value of the LoadBalancer Service. \
#@ Ignored unless service_https_loadbalancer_port is provided."
#@schema/desc service_loadbalancer_ip_desc
#@schema/nullable
service_loadbalancer_ip: 1.2.3.4
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
#! By default, when this value is left unset, logs are formatted in json.
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
deprecated_log_format:
#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
#@schema/nullable
log_level: info
#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
#@ By default, when this value is left unset, logs are formatted in json. \
#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
#@schema/desc deprecated_log_format_desc
#@schema/nullable
deprecated_log_format: json
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_user: 65532
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_group: 65532
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
#@schema/desc api_group_suffix_desc
api_group_suffix: pinniped.dev
#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
#! Optional.
https_proxy: #! e.g. http://proxy.example.com
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
#@ Optional."
#@schema/desc https_proxy_desc
#@schema/nullable
https_proxy: http://proxy.example.com
#@schema/desc "do not proxy Kubernetes endpoints"
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
#! Control the HTTP and HTTPS listeners of the Supervisor.
#!
@ -118,16 +156,22 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
#!
#! Optional.
#@schema/desc "Control the HTTP and HTTPS listeners of the Supervisor."
#@schema/nullable
endpoints:
https:
network: tcp
address: 1.2.3.4:5678
#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced
#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time
#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods.
#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time
#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available.
#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false.
#! Optional.
#! deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints. \
#! http value which checks that only loopback interfaces are used. \
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any \
#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced \
#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time \
#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods. \
#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time \
#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available. \
#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false. \
#! Optional."
#@schema/desc https_proxy_desc
deprecated_insecure_accept_external_unencrypted_http_requests: false

12
deploy_carvel/.gitignore vendored Normal file
View File

@ -0,0 +1,12 @@
# package_repository/packages/{pkg}/ contains specific SHAs of images
# we are using 0.0.0- to indicate dev versions of images
*0.0.0*
# installation artifacts will be generated here
deploy_carvel/deploy/
# images.yml files contain specific SHAs of images
concierge/.imgpkg/images.yml
supervisor/.imgpkg/images.yml
local-user-authenticator/.imgpkg/images.yml
package_repository/.imgpkg/images.yml

10
deploy_carvel/README.md Normal file
View File

@ -0,0 +1,10 @@
# Deployment via Carvel Packages
The Carvel Package deployment method can be exercised via the following invocation:
```bash
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
--clean \
--alternate-deploy ./hack/noop.sh \
--post-install ./hack/build-carvel-packages.sh
```

1
deploy_carvel/concierge/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
config/

View File

@ -0,0 +1,16 @@
# Pinniped Concierge Deployment
See [the how-to guide for details](https://pinniped.dev/docs/howto/concierge/).
The Carvel Package deployment method can be exercised via the following invocation:
```bash
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
--clean \
--alternate-deploy ./hack/noop.sh \
--post-install ./hack/build-carvel-packages.sh
```
## In this directory:
- `vendir` is used to copy the <root>/deploy/concierge ytt files to <root>/deploy_carvel/concierge/config.

View File

@ -0,0 +1,4 @@
apiVersion: kbld.k14s.io/v1alpha1
kind: Config
minimumRequiredVersion: 0.31.0
overrides:

View File

@ -0,0 +1,10 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: PackageMetadata
metadata:
name: concierge.pinniped.dev
spec:
displayName: "Pinniped Concierge"
longDescription: "Pinniped concierge enables consistent login across Kubernetes clusters on public cloud providers such as AKS, EKS and GKE"
shortDescription: "Pinniped concierge enables consistent login across public clouds"
categories:
- auth

View File

@ -0,0 +1,29 @@
#@ load("@ytt:data", "data") # for reading data values (generated via ytt's data-values-schema-inspect mode).
#@ load("@ytt:yaml", "yaml") # for dynamically decoding the output of ytt's data-values-schema-inspect
---
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: #@ "concierge.pinniped.dev." + data.values.version
spec:
refName: concierge.pinniped.dev
version: #@ data.values.version
releaseNotes: |
Initial release of the pinniped concierge package, TODO: AUTOMATE THIS??
valuesSchema:
openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
template:
spec:
fetch:
- imgpkgBundle:
image: #@ data.values.repo_host + ":" + data.values.version
template:
- ytt:
paths:
- "config/"
- kbld:
paths:
- ".imgpkg/images.yml"
- "-"
deploy:
- kapp: {}

View File

@ -0,0 +1,137 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-concierge.
default: pinniped-concierge
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-concierge
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: {}
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
kube_cert_agent_image:
type: string
nullable: true
description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
default: null
image_pull_dockerconfigjson:
type: string
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
default: null
discovery_url:
type: string
nullable: true
description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
default: null
api_serving_certificate_duration_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2592000
api_serving_certificate_renew_before_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2160000
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
impersonation_proxy_spec:
type: object
additionalProperties: false
description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
properties:
mode:
type: string
description: If enabled, the impersonation proxy will always run regardless of other strategies available.
default: auto
external_endpoint:
type: string
nullable: true
description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
default: null
service:
type: object
additionalProperties: false
description: The impersonation proxy service configuration
properties:
type:
type: string
nullable: true
description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
default: null
annotations:
type: object
additionalProperties: false
nullable: true
description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
properties:
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
type: string
default: "4000"
load_balancer_ip:
type: string
nullable: true
description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
default: null
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local

View File

@ -0,0 +1,155 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-concierge.
default: pinniped-concierge
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-concierge
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: null
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
kube_cert_agent_image:
type: string
nullable: true
description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
default: null
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
discovery_url:
type: string
nullable: true
description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
default: null
api_serving_certificate_duration_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2592000
api_serving_certificate_renew_before_seconds:
type: integer
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
default: 2160000
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
impersonation_proxy_spec:
type: object
additionalProperties: false
description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
properties:
mode:
type: string
description: If enabled, the impersonation proxy will always run regardless of other strategies available.
default: auto
external_endpoint:
type: string
nullable: true
description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
default: null
service:
type: object
additionalProperties: false
description: The impersonation proxy service configuration
properties:
type:
type: string
nullable: true
description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
default: null
annotations:
type: object
additionalProperties: false
nullable: true
description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
properties:
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
type: string
default: "4000"
load_balancer_ip:
type: string
nullable: true
description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
default: null
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local

View File

@ -0,0 +1,7 @@
apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- directory: {}
path: .
path: config
kind: LockConfig

View File

@ -0,0 +1,8 @@
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: config
contents:
- path: .
directory:
path: ../../deploy/concierge

View File

@ -0,0 +1,27 @@
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "local-user-authenticator-package-install"
namespace: "local-user-authenticator-install-ns"
spec:
serviceAccountName: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
packageRef:
refName: "local-user-authenticator.pinniped.dev"
versionSelection:
constraints: "0.0.0-7E26B8EF-A4D6-4020-83E8-EAF8F3D1533F"
values:
- secretRef:
name: "local-user-authenticator-package-install-secret"
---
apiVersion: v1
kind: Secret
metadata:
name: "local-user-authenticator-package-install-secret"
namespace: "local-user-authenticator-install-ns"
stringData:
values.yml: |
---
image_repo: kind-registry.local:5000/test/build
image_tag: 0.0.0-7E26B8EF-A4D6-4020-83E8-EAF8F3D1533F

View File

@ -0,0 +1,35 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: "concierge-install-ns"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous"
namespace: "concierge-install-ns"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "pinniped-package-rbac-concierge-role-superadmin-dangerous"
namespace: "concierge-install-ns"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "pinniped-package-rbac-concierge-role-binding-superadmin-dangerous"
subjects:
- kind: ServiceAccount
name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous"
namespace: "concierge-install-ns"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "pinniped-package-rbac-concierge-role-superadmin-dangerous"

View File

@ -0,0 +1,35 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: "local-user-authenticator-install-ns"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
namespace: "local-user-authenticator-install-ns"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "pinniped-package-rbac-local-user-authenticator-role-superadmin-dangerous"
namespace: "local-user-authenticator-install-ns"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "pinniped-package-rbac-local-user-authenticator-role-binding-superadmin-dangerous"
subjects:
- kind: ServiceAccount
name: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
namespace: "local-user-authenticator-install-ns"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "pinniped-package-rbac-local-user-authenticator-role-superadmin-dangerous"

View File

@ -0,0 +1,35 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: "supervisor-install-ns"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous"
namespace: "supervisor-install-ns"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous"
namespace: "supervisor-install-ns"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "pinniped-package-rbac-supervisor-role-binding-superadmin-dangerous"
subjects:
- kind: ServiceAccount
name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous"
namespace: "supervisor-install-ns"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous"

View File

@ -0,0 +1 @@
config/

View File

@ -0,0 +1,17 @@
# local-user-authenticator
The local-user-authenticator is a component used for testing Pinniped and is not a production component.
See [Application main functions](https://pinniped.dev/docs/reference/code-walkthrough/#application-main-functions) for a brief description.
The Carvel Package deployment method can be exercised via the following invocation:
```bash
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
--clean \
--alternate-deploy ./hack/noop.sh \
--post-install ./hack/build-carvel-packages.sh
```
## In this directory:
- `vendir` is used to copy the <root>/deploy/local-user-authenticator ytt files to <root>/deploy_carvel/local-user-authenticator/config.

View File

@ -0,0 +1,4 @@
apiVersion: kbld.k14s.io/v1alpha1
kind: Config
minimumRequiredVersion: 0.31.0
overrides:

View File

@ -0,0 +1,11 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: PackageMetadata
metadata:
name: local-user-authenticator.pinniped.dev
spec:
displayName: "local-user-authenticator"
longDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos. Note that this is not recommended for
production use."
shortDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos."
categories:
- auth

View File

@ -0,0 +1,29 @@
#@ load("@ytt:data", "data") # for reading data values (generated via ytt's data-values-schema-inspect mode).
#@ load("@ytt:yaml", "yaml") # for dynamically decoding the output of ytt's data-values-schema-inspect
---
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: #@ "local-user-authenticator.pinniped.dev." + data.values.version
spec:
refName: local-user-authenticator.pinniped.dev
version: #@ data.values.version
releaseNotes: |
Initial release of the local-user-authenticator package, TODO: AUTOMATE THIS??
valuesSchema:
openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
template:
spec:
fetch:
- imgpkgBundle:
image: #@ data.values.repo_host + ":" + data.values.version
template:
- ytt:
paths:
- "config/"
- kbld:
paths:
- ".imgpkg/images.yml"
- "-"
deploy:
- kapp: {}

View File

@ -0,0 +1,55 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532

View File

@ -0,0 +1,55 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532

View File

@ -0,0 +1,7 @@
apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- directory: {}
path: .
path: config
kind: LockConfig

View File

@ -0,0 +1,8 @@
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: config
contents:
- path: .
directory:
path: ../../deploy/local-user-authenticator

View File

@ -0,0 +1,10 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: PackageMetadata
metadata:
name: concierge.pinniped.dev
spec:
displayName: "Pinniped Concierge"
longDescription: "Pinniped concierge enables consistent login across Kubernetes clusters on public cloud providers such as AKS, EKS and GKE"
shortDescription: "Pinniped concierge enables consistent login across public clouds"
categories:
- auth

View File

@ -0,0 +1,11 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: PackageMetadata
metadata:
name: local-user-authenticator.pinniped.dev
spec:
displayName: "local-user-authenticator"
longDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos. Note that this is not recommended for
production use."
shortDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos."
categories:
- auth

View File

@ -0,0 +1,10 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: PackageMetadata
metadata:
name: supervisor.pinniped.dev
spec:
displayName: "Pinniped Supervisor"
longDescription: "Pinniped supervisor allows seamless login across one or many Kubernetes clusters including AKS, EKS and GKE"
shortDescription: "Pinniped supervisor provides login capabilities"
categories:
- auth

1
deploy_carvel/supervisor/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
config/

View File

@ -0,0 +1,16 @@
# Pinniped Supervisor Deployment
See [the how-to guide for details](https://pinniped.dev/docs/howto/install-supervisor/).
The Carvel Package deployment method can be exercised via the following invocation:
```bash
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
--clean \
--alternate-deploy ./hack/noop.sh \
--post-install ./hack/build-carvel-packages.sh
```
## In this directory:
- `vendir` is used to copy the <root>/deploy/supervisor ytt files to <root>/deploy_carvel/supervisor/config.

View File

@ -0,0 +1,4 @@
apiVersion: kbld.k14s.io/v1alpha1
kind: Config
minimumRequiredVersion: 0.31.0
overrides:

View File

@ -0,0 +1,10 @@
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: PackageMetadata
metadata:
name: supervisor.pinniped.dev
spec:
displayName: "Pinniped Supervisor"
longDescription: "Pinniped supervisor allows seamless login across one or many Kubernetes clusters including AKS, EKS and GKE"
shortDescription: "Pinniped supervisor provides login capabilities"
categories:
- auth

View File

@ -0,0 +1,29 @@
#@ load("@ytt:data", "data") # for reading data values (generated via ytt's data-values-schema-inspect mode).
#@ load("@ytt:yaml", "yaml") # for dynamically decoding the output of ytt's data-values-schema-inspect
---
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
name: #@ "supervisor.pinniped.dev." + data.values.version
spec:
refName: supervisor.pinniped.dev
version: #@ data.values.version
releaseNotes: |
Initial release of the pinniped supervisor package, TODO: AUTOMATE THIS??
valuesSchema:
openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
template:
spec:
fetch:
- imgpkgBundle:
image: #@ data.values.repo_host + ":" + data.values.version
template:
- ytt:
paths:
- "config/"
- kbld:
paths:
- ".imgpkg/images.yml"
- "-"
deploy:
- kapp: {}

View File

@ -0,0 +1,146 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-supervisor.
default: pinniped-supervisor
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-supervisor
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: {}
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: string
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
default: null
deprecated_service_http_nodeport_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_nodeport_nodeport:
type: integer
nullable: true
description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
default: null
deprecated_service_http_loadbalancer_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_clusterip_port:
type: integer
nullable: true
description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
default: null
service_https_nodeport_port:
type: integer
nullable: true
description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_nodeport_nodeport:
type: integer
nullable: true
description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
default: null
service_https_loadbalancer_port:
type: integer
nullable: true
description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_clusterip_port:
type: integer
nullable: true
description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_loadbalancer_ip:
type: string
nullable: true
description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
default: null
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
endpoints:
type: object
additionalProperties: false
nullable: true
description: Control the HTTP and HTTPS listeners of the Supervisor.
properties:
https:
type: object
additionalProperties: false
properties:
network:
type: string
default: tcp
address:
type: string
default: 1.2.3.4:5678
deprecated_insecure_accept_external_unencrypted_http_requests:
type: boolean
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: false

View File

@ -0,0 +1,164 @@
openapi: 3.0.0
info:
version: 0.1.0
title: Schema for data values, generated by ytt
paths: {}
components:
schemas:
dataValues:
type: object
additionalProperties: false
properties:
app_name:
type: string
description: Name of pinniped-supervisor.
default: pinniped-supervisor
namespace:
type: string
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
default: pinniped-supervisor
into_namespace:
type: string
nullable: true
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
default: null
custom_labels:
nullable: true
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
default: null
replicas:
type: integer
description: Specify how many replicas of the Pinniped server to run.
default: 2
image_repo:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: projects.registry.vmware.com/pinniped/pinniped-server
image_digest:
type: string
nullable: true
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: null
image_tag:
type: string
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
default: latest
image_pull_dockerconfigjson:
type: object
additionalProperties: false
nullable: true
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
properties:
auths:
type: object
additionalProperties: false
properties:
https://registry.example.com:
type: object
additionalProperties: false
properties:
username:
type: string
default: USERNAME
password:
type: string
default: PASSWORD
auth:
type: string
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
deprecated_service_http_nodeport_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_nodeport_nodeport:
type: integer
nullable: true
description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
default: null
deprecated_service_http_loadbalancer_port:
type: integer
nullable: true
description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
default: null
deprecated_service_http_clusterip_port:
type: integer
nullable: true
description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
default: null
service_https_nodeport_port:
type: integer
nullable: true
description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_nodeport_nodeport:
type: integer
nullable: true
description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
default: null
service_https_loadbalancer_port:
type: integer
nullable: true
description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_https_clusterip_port:
type: integer
nullable: true
description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
default: null
service_loadbalancer_ip:
type: string
nullable: true
description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
default: null
log_level:
type: string
nullable: true
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
default: null
deprecated_log_format:
type: string
nullable: true
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
default: null
run_as_user:
type: integer
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
run_as_group:
type: integer
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
default: 65532
api_group_suffix:
type: string
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
default: pinniped.dev
https_proxy:
type: string
nullable: true
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: null
no_proxy:
type: string
description: do not proxy Kubernetes endpoints
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
endpoints:
type: object
additionalProperties: false
nullable: true
description: Control the HTTP and HTTPS listeners of the Supervisor.
properties:
https:
type: object
additionalProperties: false
properties:
network:
type: string
default: tcp
address:
type: string
default: 1.2.3.4:5678
deprecated_insecure_accept_external_unencrypted_http_requests:
type: boolean
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
default: false

View File

@ -0,0 +1,7 @@
apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- directory: {}
path: .
path: config
kind: LockConfig

View File

@ -0,0 +1,8 @@
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: config
contents:
- path: .
directory:
path: ../../deploy/supervisor

435
hack/build-carvel-packages.sh Executable file
View File

@ -0,0 +1,435 @@
#!/usr/bin/env bash
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#
# This script can be used in conjunction with prepare-for-integration-tests.sh.
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
# the integration tests script will create a local docker registry and configure kind to use the registry
# and will build the Pinniped binary and container image.
# This script will then create Carvel Packages for supervisor,concierge and local-user-authenticator.
# It will also create a Carvel PackageRepository.
# The PackageRepository will be installed on the kind cluster, then PackageInstall resources
# will be created to deploy an instance of each of the packages on the cluster.
# Once this script has completed, Pinniped can be interacted with as if it had been deployed in the usual way,
# for example by running tests or by preparing supervisor for manual interactions:
# source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration -run /TestE2EFullIntegration_Browser
# hack/prepare-supervisor-on-kind.sh --oidc
#
# Example usage:
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh
#
set -euo pipefail
#
# Helper functions
#
function log_note() {
GREEN='\033[0;32m'
NC='\033[0m'
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
echo -e "${GREEN}$*${NC}"
else
echo "$*"
fi
}
function log_error() {
RED='\033[0;31m'
NC='\033[0m'
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
echo -e "🙁${RED} Error: $* ${NC}"
else
echo ":( Error: $*"
fi
}
function check_dependency() {
if ! command -v "$1" >/dev/null; then
log_error "Missing dependency..."
log_error "$2"
exit 1
fi
}
pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$pinniped_path" || exit 1
# arguments provided to scripts called by hack/prepare-for-integration-tests.sh
# - app: unimportant, but always first
# - tag: uuidgen in hack/prepare-for-integration-tests.sh
# if this script is run standalone, then auto-fill with a unique value
app=${1:-"undefined"}
tag=${2:-$(uuidgen)}
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" == "" ]]; then
log_error "Building the Carvel package requires configuring kind with a local registry."
log_error "please set the environment variable PINNIPED_USE_LOCAL_KIND_REGISTRY"
log_error "for example:"
log_error " PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh"
fi
# TODO: automate the version by release somehow.
# the tag is the version in our build scripts, but we will want real versions for releases
pinniped_package_version="${tag}" # ie, "0.25.0"
# core pinniped binaries (concierge, supervisor, local-user-authenticator)
# TODO: we can likely just pass in the whole registry_repo_tag from the parent script and be done.
# the duplication is unnecessary. This script doesn't ever need to run standalone again.
registry="kind-registry.local:5000"
repo="test/build"
registry_repo="$registry/$repo"
registry_repo_tag="${registry_repo}:${tag}"
api_group_suffix="pinniped.dev"
# Package prefix for concierge, supervisor, local-user-authenticator
package_repo_prefix="${registry_repo}/package" # + $resource_name + ":" + $tag
# Pinniped Package repository
package_repository_repo="pinniped-package-repository"
package_repository_repo_tag="${registry_repo}/${package_repository_repo}:${tag}"
# carvel
log_note "Installing kapp-controller on cluster..."
KAPP_CONTROLLER_GLOBAL_NAMESPACE="kapp-controller-packaging-global"
kapp deploy --app kapp-controller --file "https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml" -y
kubectl get customresourcedefinitions
# Generate the OpenAPI v3 Schema files, imgpkg images.yml files
declare -a arr=("local-user-authenticator" "concierge" "supervisor")
for resource_name in "${arr[@]}"
do
resource_qualified_name="${resource_name}.${api_group_suffix}"
package_repo_tag="${package_repo_prefix}-${resource_name}:${tag}"
resource_dir="deploy_carvel/${resource_name}"
resource_config_source_dir="deploy/${resource_name}"
resource_destination_dir="deploy_carvel/${resource_name}"
resource_config_destination_dir="${resource_destination_dir}/config"
# these must be real files, not symlinks
log_note "Vendir sync deploy directory for ${resource_name} to package bundle..."
pushd "${resource_destination_dir}" > /dev/null
vendir sync
popd > /dev/null
log_note "Generating OpenAPI v3 schema for ${resource_name}..."
ytt \
--file "${resource_config_destination_dir}" \
--data-values-schema-inspect \
--output openapi-v3 > \
"${resource_dir}/schema-openapi.yaml"
log_note "Generating .imgpkg/images.yml for ${resource_name}..."
mkdir -p "${resource_dir}/.imgpkg"
ytt \
--file "${resource_config_destination_dir}" | \
kbld -f- --imgpkg-lock-output "${resource_dir}/.imgpkg/images.yml"
log_note "Pushing Pinniped ${resource_name} Package bundle..."
imgpkg push --bundle "${package_repo_tag}" --file "${resource_dir}"
# validation flag?
log_note "Validating ${resource_name} Package bundle not empty (/tmp/${package_repo_tag})..."
imgpkg pull --bundle "${package_repo_tag}" --output "/tmp/${package_repo_tag}"
log_note "Generating PackageRepository Package entry for ${resource_name}"
# publish package versions to package repository
package_repository_dir="deploy_carvel/package_repository/packages/${resource_qualified_name}"
rm -rf "${package_repository_dir}"
mkdir "${package_repository_dir}"
ytt \
--file "${resource_dir}/package-template.yml" \
--data-value-file openapi="${resource_dir}/schema-openapi.yml" \
--data-value repo_host="${package_repo_prefix}-${resource_name}" \
--data-value version="${pinniped_package_version}" > "${package_repository_dir}/${pinniped_package_version}.yml"
cp "deploy_carvel/${resource_name}/metadata.yml" "${package_repository_dir}/metadata.yml"
done
log_note "Generating .imgpkg/images.yml for Pinniped PackageRepository bundle..."
mkdir -p "deploy_carvel/package_repository/.imgpkg"
kbld --file "deploy_carvel/package_repository/packages/" --imgpkg-lock-output "deploy_carvel/package_repository/.imgpkg/images.yml"
log_note "Pushing Pinniped PackageRepository bundle.... "
imgpkg push --bundle "${package_repository_repo_tag}" --file "deploy_carvel/package_repository"
# validation flag?
log_note "Validating Pinniped PackageRepository bundle not empty /tmp/${package_repo_tag}..."
imgpkg pull --bundle "${package_repository_repo_tag}" --output "/tmp/${package_repository_repo_tag}"
## NOTE: could break apart here at a build and a deploy script.
log_note "cleaning deploy artifacts..."
rm -rf "deploy_carvel/deploy"
mkdir "deploy_carvel/deploy"
log_note "deploying PackageRepository..."
pinniped_package_repository_name="pinniped-package-repository"
pinniped_package_repository_file="deploy_carvel/deploy/packagerepository.${pinniped_package_version}.yml"
echo -n "" > "${pinniped_package_repository_file}"
cat <<EOT >> "${pinniped_package_repository_file}"
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageRepository
metadata:
name: "${pinniped_package_repository_name}"
namespace: "${KAPP_CONTROLLER_GLOBAL_NAMESPACE}"
spec:
fetch:
imgpkgBundle:
image: "${package_repository_repo_tag}"
EOT
kapp deploy --app "${pinniped_package_repository_name}" --file "${pinniped_package_repository_file}" -y
kapp inspect --app "${pinniped_package_repository_name}" --tree
for resource_name in "${arr[@]}"
do
log_note "creating PackageInstall and RBAC for ${resource_name}..."
namespace="${resource_name}-install-ns"
pinniped_package_rbac_prefix="pinniped-package-rbac-${resource_name}"
pinniped_package_rbac_file="deploy_carvel/deploy/${pinniped_package_rbac_prefix}-${resource_name}-rbac.yml"
echo -n "" > "${pinniped_package_rbac_file}"
# TODO: will just a Role and RoleBinding work? Just for the target namespace.
# - limit this to the LEAST privilege for each of the resources
# - and document this for each of the resources.
# - and we may need to TEMPLATE the namespace, if pinniped is installed in alt namespaces?
cat <<EOF >> "${pinniped_package_rbac_file}"
---
apiVersion: v1
kind: Namespace
metadata:
name: "${namespace}"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "${pinniped_package_rbac_prefix}-sa-superadmin-dangerous"
namespace: "${namespace}"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "${pinniped_package_rbac_prefix}-role-superadmin-dangerous"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "${pinniped_package_rbac_prefix}-role-binding-superadmin-dangerous"
subjects:
- kind: ServiceAccount
name: "${pinniped_package_rbac_prefix}-sa-superadmin-dangerous"
namespace: "${namespace}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "${pinniped_package_rbac_prefix}-role-superadmin-dangerous"
EOF
kapp deploy --app "${pinniped_package_rbac_prefix}" --file "${pinniped_package_rbac_file}" -y
done
# start local-user-authenticator
# local-user-authenticator
log_note "deploying local-user-authenticator PackageInstall resources..."
resource_name="local-user-authenticator"
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "${resource_name}-package-install"
namespace: "${NAMESPACE}"
spec:
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
packageRef:
refName: "${RESOURCE_PACKAGE_VERSION}"
versionSelection:
constraints: "${pinniped_package_version}"
values:
- secretRef:
name: "${SECRET_NAME}"
---
apiVersion: v1
kind: Secret
metadata:
name: "${SECRET_NAME}"
namespace: "${NAMESPACE}"
stringData:
values.yml: |
---
image_repo: $registry_repo
image_tag: $tag
EOF
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
test_username="test-username"
test_groups="test-group-0,test-group-1"
test_password="$(openssl rand -hex 16)"
log_note "Creating test user '$test_username'..."
kubectl create secret generic "$test_username" \
--namespace local-user-authenticator \
--from-literal=groups="$test_groups" \
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
--dry-run=client \
--output yaml |
kubectl apply -f -
# start concierge
log_note "deploying concierge PackageInstall resources..."
resource_name="concierge"
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
# from prepare-for-integration-tests.sh
concierge_app_name="pinniped-concierge"
concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug"
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "${resource_name}-package-install"
namespace: "${NAMESPACE}"
spec:
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
packageRef:
refName: "${RESOURCE_PACKAGE_VERSION}"
versionSelection:
constraints: "${pinniped_package_version}"
values:
- secretRef:
name: "${SECRET_NAME}"
---
apiVersion: v1
kind: Secret
metadata:
name: "${SECRET_NAME}"
namespace: "${NAMESPACE}"
stringData:
values.yml: |
---
app_name: $concierge_app_name
namespace: $concierge_namespace
api_group_suffix: $api_group_suffix
log_level: $log_level
custom_labels: $concierge_custom_labels
image_repo: $registry_repo
image_tag: $tag
discovery_url: $discovery_url
EOF
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
# end concierge
# start supervisor
log_note "deploying supervisor PackageInstall resources..."
resource_name="supervisor"
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
# from prepare-for-integration-test.sh
supervisor_app_name="pinniped-supervisor"
supervisor_namespace="supervisor"
supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
log_level="debug"
service_https_nodeport_port="443"
service_https_nodeport_nodeport="31243"
service_https_clusterip_port="443"
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
# name, does not have to be versioned, versionSelection.constraints below will handle
name: "${resource_name}-package-install"
namespace: "${NAMESPACE}"
spec:
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
packageRef:
refName: "${RESOURCE_PACKAGE_VERSION}"
versionSelection:
constraints: "${pinniped_package_version}"
values:
- secretRef:
name: "${SECRET_NAME}"
---
apiVersion: v1
kind: Secret
metadata:
name: "${SECRET_NAME}"
namespace: "${NAMESPACE}"
stringData:
values.yml: |
---
app_name: $supervisor_app_name
namespace: $supervisor_namespace
api_group_suffix: $api_group_suffix
image_repo: $registry_repo
image_tag: $tag
log_level: $log_level
custom_labels: $supervisor_custom_labels
service_https_nodeport_port: $service_https_nodeport_port
service_https_nodeport_nodeport: $service_https_nodeport_nodeport
service_https_clusterip_port: $service_https_clusterip_port
EOF
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
# TODO: does this wait not only for the PackageInstall, but the Package, and its deployments and pods, to be successful? Because we need that.
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
# end supervisor
log_note "verifying PackageInstall resources..."
kubectl get PackageInstall -A | grep pinniped
kubectl get secret -A | grep pinniped
log_note "listing all package resources (PackageRepository, Package, PackageInstall)..."
kubectl get pkgi && kubectl get pkgr && kubectl get pkg
log_note "listing all kapp cli apps..."
kapp ls --all-namespaces
log_note "listing all kapp-controller apps..."
kubectl get app --all-namespaces

View File

@ -0,0 +1,22 @@
#!/usr/bin/env bash
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#
# This script can be used to prepare a kind cluster and deploy the app.
# You can call this script again to redeploy the app.
# It will also output instructions on how to run the integration.
#
set -euo pipefail
# whats all installed
kubectl get pkgr -A && kubectl get pkg -A && kubectl get pkgi -A
# delete the package installs
kubectl delete pkgi concierge-package-install -n concierge-install-ns
kubectl delete pkgi supervisor-package-install -n supervisor-install-ns
kubectl delete pkgi local-user-authenticator-package-install -n local-user-authenticator-install-ns
# TODO: clean up the rest also

View File

@ -11,7 +11,8 @@ set -euo pipefail
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
source /tmp/integration-test-env
source "/tmp/integration-test-env"
echo -n "PINNIPED_TEST_GOLAND_RUNNER=true;"

View File

@ -8,4 +8,11 @@ set -euo pipefail
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
cd "${ROOT}"
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
reg_name='kind-registry.local'
docker network disconnect "kind" "${reg_name}" || true
docker stop "${reg_name}" || true
docker rm "${reg_name}" || true
fi
kind delete cluster --name pinniped

View File

@ -8,13 +8,60 @@ set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${ROOT}"
if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
# create registry container unless it already exists
reg_name='kind-registry.local'
reg_port='5000'
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
docker run \
-d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
registry:2
fi
fi
if [[ "${PINNIPED_USE_CONTOUR:-}" != "" && "$PINNIPED_USE_LOCAL_KIND_REGISTRY" != "" ]]; then
echo "Adding Contour port mapping and local registry to Kind config."
ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
-f "${ROOT}/hack/lib/kind-config/contour-overlay.yaml" \
-f "${ROOT}/hack/lib/kind-config/kind-registry-overlay.yaml" >/tmp/kind-config.yaml
kind create cluster --config /tmp/kind-config.yaml --name pinniped
elif [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
echo "Adding Contour port mapping to Kind config."
ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
-f "${ROOT}/hack/lib/kind-config/contour-overlay.yaml" >/tmp/kind-config.yaml
kind create cluster --config /tmp/kind-config.yaml --name pinniped
elif [[ "$PINNIPED_USE_LOCAL_KIND_REGISTRY" != "" ]]; then
echo "Adding local registry to Kind config."
ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
-f "${ROOT}/hack/lib/kind-config/kind-registry-overlay.yaml" >/tmp/kind-config.yaml
kind create cluster --config /tmp/kind-config.yaml --name pinniped
else
# To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.28.0`.
# To debug the kind config, add this option to the command below: `-v 10`
kind create cluster --config "hack/lib/kind-config/single-node.yaml" --name pinniped
fi
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
# connect the registry to the cluster network if not already connected
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
docker network connect "kind" "${reg_name}"
fi
# Document the local registry
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: local-registry-hosting
namespace: kube-public
data:
localRegistryHosting.v1: |
host: "localhost:${reg_port}"
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF
fi

View File

@ -0,0 +1,11 @@
#! Copyright 2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.all
---
#@overlay/match missing_ok=True
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."kind-registry.local:5000"]
endpoint = ["http://kind-registry.local:5000"]

45
hack/noop.sh Executable file
View File

@ -0,0 +1,45 @@
#!/usr/bin/env bash
#
# This script is intended to be used with:
# - $repo_root/hack/prepare-for-integration-test.sh --alternate-deploy $(pwd)/deploy_carvel/hack/log-args.sh
# and originated with the following:
# - https://github.com/jvanzyl/pinniped-charts/blob/main/alternate-deploy-helm
# along with this PR to pinniped:
# - https://github.com/vmware-tanzu/pinniped/pull/1028
set -euo pipefail
#
# Helper functions
#
function log_note() {
GREEN='\033[0;32m'
NC='\033[0m'
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
echo -e "${GREEN}$*${NC}"
else
echo "$*"
fi
}
function log_error() {
RED='\033[0;31m'
NC='\033[0m'
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
echo -e "🙁${RED} Error: $* ${NC}"
else
echo ":( Error: $*"
fi
}
function check_dependency() {
if ! command -v "$1" >/dev/null; then
log_error "Missing dependency..."
log_error "$2"
exit 1
fi
}
app=${1}
tag=${2}
log_note "noop.sh >>> app: ${app} tag: ${tag}"

View File

@ -8,7 +8,15 @@
# You can call this script again to redeploy the app.
# It will also output instructions on how to run the integration.
#
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
# the script will create a local docker registry and configure kind to use the registry. When building
# and installing Pinniped normally this is unnecessary. However, if an alternative build and install approach
# is taken, such as via a Carvel packaging mechanism, a local registry might be needed (for example, the
# kbld tool requires a registry to resolve images to shas).
#
# Example usage:
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh
#
set -euo pipefail
#
@ -55,6 +63,7 @@ alternate_deploy="undefined"
alternate_deploy_supervisor="undefined"
alternate_deploy_concierge="undefined"
alternate_deploy_local_user_authenticator="undefined"
post_install="undefined"
# supported variable style:
# --dockerfile-path ./foo.sh
@ -140,6 +149,15 @@ while (("$#")); do
alternate_deploy_local_user_authenticator=$1
shift
;;
--post-install)
shift
if [[ "$#" == "0" || "$1" == -* ]]; then
log_error "--post-install requires a script path to be specified"
exit 1
fi
post_install=$1
shift
;;
-*)
log_error "Unsupported flag $1" >&2
if [[ "$1" == *"active-directory"* ]]; then
@ -169,6 +187,7 @@ if [[ "$help" == "yes" ]]; then
log_note " --alternate-deploy-supervisor: specify an alternate deploy script to install Pinniped Supervisor"
log_note " --alternate-deploy-concierge: specify an alternate deploy script to install Pinniped Concierge"
log_note " --alternate-deploy-local-user-authenticator: specify an alternate deploy script to install Pinniped local-user-authenticator"
log_note " --post-install: specify an post-install script"
exit 1
fi
@ -221,12 +240,34 @@ else
fi
registry="pinniped.local"
registry_with_port="$registry"
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
registry="kind-registry.local"
registry_with_port="$registry:5000"
fi
repo="test/build"
registry_repo="$registry/$repo"
tag=$(uuidgen) # always a new tag to force K8s to reload the image on redeploy
registry_repo="$registry_with_port/$repo"
tag="0.0.0-$(uuidgen)" # always a new tag to force K8s to reload the image on redeploy
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
etc_hosts_local_registry_missing=no
if ! grep -q "$registry" /etc/hosts; then
etc_hosts_local_registry_missing=yes
fi
if [[ "$etc_hosts_local_registry_missing" == "yes" ]]; then
echo
log_error "In order to configure the kind cluster to use the local registry properly,"
log_error "please run this command to edit /etc/hosts, and then run this script again with the same options."
echo "sudo bash -c \"echo '127.0.0.1 $registry' >> /etc/hosts\""
log_error "When you are finished with your Kind cluster, you can remove this line from /etc/hosts."
exit 1
fi
fi
if [[ "$skip_build" == "yes" ]]; then
most_recent_tag=$(docker images "$registry/$repo" --format "{{.Tag}}" | head -1)
most_recent_tag=$(docker images "$registry_repo" --format "{{.Tag}}" | head -1)
if [[ -n "$most_recent_tag" ]]; then
tag="$most_recent_tag"
do_build=no
@ -253,15 +294,19 @@ if [[ "$do_build" == "yes" ]]; then
fi
fi
# Load it into the cluster
log_note "Loading the app's container image into the kind cluster..."
kind load docker-image "$registry_repo_tag" --name pinniped
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
# if registry used, push to the registry
log_note "Loading the app's container image into the local registry ($registry_with_port)..."
docker push "$registry_repo_tag"
else
# otherwise side-load directly
log_note "Loading the app's container image into the kind cluster..."
kind load docker-image "$registry_repo_tag" --name pinniped
fi
#
# Deploy local-user-authenticator
#
manifest=/tmp/pinniped-local-user-authenticator.yaml
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_local_user_authenticator" != "undefined" ] ; then
if [ "$alternate_deploy" != "undefined" ]; then
log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag..."
@ -280,6 +325,7 @@ else
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null
fi
@ -303,18 +349,6 @@ kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null
test_username="test-username"
test_groups="test-group-0,test-group-1"
test_password="$(openssl rand -hex 16)"
log_note "Creating test user '$test_username'..."
kubectl create secret generic "$test_username" \
--namespace local-user-authenticator \
--from-literal=groups="$test_groups" \
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
--dry-run=client \
--output yaml |
kubectl apply -f -
#
# Deploy the Pinniped Supervisor
#
@ -364,7 +398,6 @@ manifest=/tmp/pinniped-concierge.yaml
concierge_app_name="pinniped-concierge"
concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug"
@ -396,6 +429,38 @@ else
popd >/dev/null
fi
#
# Call a post-install script
# simplifies passing the $tag which may be necessary if the current local build is to be
# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
# running it after the above also allows appending to the environment variable file
if [ "$post_install" != "undefined" ] ; then
log_note "The post-install script will be called with $tag..."
$post_install post-install-script $tag
fi
#
# Test user for the authenticator
# the authenticator may be deployed in alternative ways (ex. carvel package) but regardless we need a test user.
#
log_note "Creating test user for local-user-authenticator..."
test_username="test-username"
test_groups="test-group-0,test-group-1"
test_password="$(openssl rand -hex 16)"
kubectl create secret generic "$test_username" \
--namespace local-user-authenticator \
--from-literal=groups="$test_groups" \
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
--dry-run=client \
--output yaml |
kubectl apply -f -
#
# Regardless of how the local-user-authenticator is installed, we need the webhook bundle in the environment file.
#
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
#
# Download the test CA bundle that was generated in the Dex pod.
# Note that this returns a base64 encoded value.
@ -412,7 +477,9 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index
kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
cat <<EOF >/tmp/integration-test-env
env_file_name="/tmp/integration-test-env"
cat <<EOF >"$env_file_name"
# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
@ -484,6 +551,7 @@ PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
EOF
#
# Print instructions for next steps.
#
@ -491,7 +559,7 @@ log_note
log_note "🚀 Ready to run integration tests! For example..."
log_note " cd $pinniped_path"
log_note " ulimit -n 512"
log_note ' source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration'
log_note " source $env_file_name && go test -v -race -count 1 -timeout 0 ./test/integration"
log_note
log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
log_note " hack/integration-test-env-goland.sh | pbcopy"
@ -501,3 +569,4 @@ log_note
log_note "To delete the deployments, run:"
log_note " kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y && kapp delete -a $supervisor_app_name -y"
log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
log_note

View File

@ -98,7 +98,7 @@ if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" && "$use_ad_u
fi
# Read the env vars output by hack/prepare-for-integration-tests.sh
source /tmp/integration-test-env
source "/tmp/integration-test-env"
# Choose some filenames.
root_ca_crt_path=root_ca.crt