Compare commits
40 Commits
main
...
ben/carvel
Author | SHA1 | Date | |
---|---|---|---|
|
d5565af1d3 | ||
|
8dfac21eb8 | ||
|
0352717153 | ||
|
d803b7c3d4 | ||
|
050750d682 | ||
|
106edd4868 | ||
|
86a25246dd | ||
|
4bbd6312c5 | ||
|
ac42b725fb | ||
|
8e430c8e77 | ||
|
dc4948f570 | ||
|
b091b41b8d | ||
|
5bcff5a651 | ||
|
8fda51850b | ||
|
1a143f9720 | ||
|
b6afd56716 | ||
|
9ec2cf6bcd | ||
|
f2b5d568d9 | ||
|
f521917b5e | ||
|
4b5e869a5e | ||
|
761e323777 | ||
|
231870582e | ||
|
740463bba7 | ||
|
eeb08d52b7 | ||
|
e6707ca448 | ||
|
cb6d299156 | ||
|
de1bbde2cc | ||
|
0f0d9927c0 | ||
|
530ce433ac | ||
|
ff09b61364 | ||
|
1f281a7d7e | ||
|
7950dc4cdb | ||
|
97d8688753 | ||
|
b4e8b6c051 | ||
|
538f6b5b3f | ||
|
6d13de173b | ||
|
5e798f2af4 | ||
|
44356b0db3 | ||
|
b4f64443db | ||
|
0ce54bb2f3 |
@ -1,75 +1,97 @@
|
|||||||
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
#@data/values
|
#@data/values-schema
|
||||||
---
|
---
|
||||||
|
#@schema/desc "Name of pinniped-concierge."
|
||||||
app_name: pinniped-concierge
|
app_name: pinniped-concierge
|
||||||
|
|
||||||
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
|
||||||
namespace: pinniped-concierge
|
namespace: pinniped-concierge
|
||||||
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
|
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
|
||||||
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
|
||||||
into_namespace: #! e.g. my-preexisting-namespace
|
#@schema/desc into_namespace_desc
|
||||||
|
#@schema/nullable
|
||||||
|
into_namespace: my-preexisting-namespace
|
||||||
|
|
||||||
#! All resources created statically by yaml at install-time and all resources created dynamically
|
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
|
||||||
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
|
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
|
||||||
#! specified here. The value of `custom_labels` must be a map of string keys to string values.
|
#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
|
||||||
#! The app can be uninstalled either by:
|
#@ The app can be uninstalled either by: \
|
||||||
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
|
#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
|
||||||
#! resources that were dynamically created by controllers at runtime
|
#@ resources that were dynamically created by controllers at runtime \
|
||||||
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
|
#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
|
||||||
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
#@schema/desc custom_labels_desc
|
||||||
|
#@schema/type any=True
|
||||||
|
custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
||||||
|
|
||||||
#! Specify how many replicas of the Pinniped server to run.
|
#@schema/desc "Specify how many replicas of the Pinniped server to run."
|
||||||
replicas: 2
|
replicas: 2
|
||||||
|
|
||||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
#@schema/nullable
|
||||||
|
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
image_tag: latest
|
image_tag: latest
|
||||||
|
|
||||||
#! Optionally specify a different image for the "kube-cert-agent" pod which is scheduled
|
#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
|
||||||
#! on the control plane. This image needs only to include `sleep` and `cat` binaries.
|
#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
|
||||||
#! By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
|
#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
|
||||||
kube_cert_agent_image:
|
#@schema/desc kube_cert_agent_image
|
||||||
|
#@schema/nullable
|
||||||
|
kube_cert_agent_image: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
|
||||||
#! Specifies a secret to be used when pulling the above `image_repo` container image.
|
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
|
||||||
#! Can be used when the above image_repo is a private registry.
|
#@ Can be used when the above image_repo is a private registry. \
|
||||||
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
|
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=\"USERNAME\" --docker-password=\"PASSWORD\" --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]' \
|
||||||
#! Optional.
|
#@ Optional."
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
#! base64 encoded: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
#! result: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==
|
||||||
|
#@schema/desc image_pull_dockerconfigjson_desc
|
||||||
|
#@schema/nullable
|
||||||
|
image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
|
||||||
|
|
||||||
#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
|
#@schema/desc "Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden."
|
||||||
#! This setting allows the guess to be overridden.
|
#@schema/nullable
|
||||||
#! Optional.
|
discovery_url: https://example.com
|
||||||
discovery_url: #! e.g., https://example.com
|
|
||||||
|
|
||||||
#! Specify the duration and renewal interval for the API serving certificate.
|
|
||||||
#! The defaults are set to expire the cert about every 30 days, and to rotate it
|
#@ api_serving_certificate_desc = "Specify the duration and renewal interval for the API serving certificate. \
|
||||||
#! about every 25 days.
|
#@ The defaults are set to expire the cert about every 30 days, and to rotate it \
|
||||||
|
#@ about every 25 days."
|
||||||
|
#@schema/desc api_serving_certificate_desc
|
||||||
api_serving_certificate_duration_seconds: 2592000
|
api_serving_certificate_duration_seconds: 2592000
|
||||||
|
#@schema/desc api_serving_certificate_desc
|
||||||
api_serving_certificate_renew_before_seconds: 2160000
|
api_serving_certificate_renew_before_seconds: 2160000
|
||||||
|
|
||||||
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer
|
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
||||||
#! information), trace (timing information), all (kitchen sink).
|
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
||||||
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
|
||||||
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
|
#@schema/nullable
|
||||||
#! By default, when this value is left unset, logs are formatted in json.
|
log_level: info
|
||||||
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
|
#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
|
||||||
deprecated_log_format:
|
#@ By default, when this value is left unset, logs are formatted in json. \
|
||||||
|
#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
|
||||||
|
#@schema/desc deprecated_log_format_desc
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_log_format: json
|
||||||
|
|
||||||
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
run_as_user: 65532
|
||||||
|
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
|
run_as_group: 65532
|
||||||
|
|
||||||
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
|
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
|
||||||
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
|
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
|
||||||
#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
|
#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
|
||||||
#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
|
||||||
|
#@schema/desc api_group_suffix_desc
|
||||||
api_group_suffix: pinniped.dev
|
api_group_suffix: pinniped.dev
|
||||||
|
|
||||||
#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge
|
|
||||||
#! handles impersonation.
|
#@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
|
||||||
impersonation_proxy_spec:
|
impersonation_proxy_spec:
|
||||||
#! options are "auto", "disabled" or "enabled".
|
#! options are "auto", "disabled" or "enabled".
|
||||||
#! If auto, the impersonation proxy will run only if the cluster signing key is not available
|
#! If auto, the impersonation proxy will run only if the cluster signing key is not available
|
||||||
@ -77,11 +99,14 @@ impersonation_proxy_spec:
|
|||||||
#! If disabled, the impersonation proxy will never run, which could mean that the concierge
|
#! If disabled, the impersonation proxy will never run, which could mean that the concierge
|
||||||
#! doesn't work at all.
|
#! doesn't work at all.
|
||||||
#! If enabled, the impersonation proxy will always run regardless of other strategies available.
|
#! If enabled, the impersonation proxy will always run regardless of other strategies available.
|
||||||
|
#@schema/desc "If enabled, the impersonation proxy will always run regardless of other strategies available."
|
||||||
mode: auto
|
mode: auto
|
||||||
#! The endpoint which the client should use to connect to the impersonation proxy.
|
#@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \
|
||||||
#! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer
|
#@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint."
|
||||||
#! endpoint.
|
#@schema/desc external_endpoint_desc
|
||||||
external_endpoint:
|
#@schema/nullable
|
||||||
|
external_endpoint: 1.2.3.4:5678
|
||||||
|
#@schema/desc "The impersonation proxy service configuration"
|
||||||
service:
|
service:
|
||||||
#! Options are "LoadBalancer", "ClusterIP" and "None".
|
#! Options are "LoadBalancer", "ClusterIP" and "None".
|
||||||
#! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
|
#! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
|
||||||
@ -91,17 +116,24 @@ impersonation_proxy_spec:
|
|||||||
#! impersonation proxy.
|
#! impersonation proxy.
|
||||||
#! None does not provision either and assumes that you have set the external_endpoint
|
#! None does not provision either and assumes that you have set the external_endpoint
|
||||||
#! and set up your own ingress to connect to the impersonation proxy.
|
#! and set up your own ingress to connect to the impersonation proxy.
|
||||||
|
#@schema/desc "Options are 'LoadBalancer', 'ClusterIP' and 'None'."
|
||||||
|
#@schema/nullable
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
#! The annotations that should be set on the ClusterIP or LoadBalancer Service.
|
#@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service."
|
||||||
|
#@schema/nullable
|
||||||
annotations:
|
annotations:
|
||||||
{service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
|
{service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
|
||||||
#! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
|
#@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP."
|
||||||
load_balancer_ip:
|
#@schema/nullable
|
||||||
|
load_balancer_ip: 1.2.3.4:5678
|
||||||
|
|
||||||
#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers.
|
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
|
||||||
#! These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS,
|
#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
|
||||||
#! e.g. when the Concierge fetches discovery documents, JWKS keys, and POSTs to token webhooks.
|
#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
|
||||||
#! The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
|
#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
|
||||||
#! Optional.
|
#@ Optional."
|
||||||
https_proxy: #! e.g. http://proxy.example.com
|
#@schema/desc https_proxy_desc
|
||||||
|
#@schema/nullable
|
||||||
|
https_proxy: http://proxy.example.com
|
||||||
|
#@schema/desc "do not proxy Kubernetes endpoints"
|
||||||
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
||||||
|
@ -1,19 +1,26 @@
|
|||||||
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
#@data/values
|
#@data/values-schema
|
||||||
---
|
---
|
||||||
|
|
||||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
#@schema/nullable
|
||||||
|
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
image_tag: latest
|
image_tag: latest
|
||||||
|
|
||||||
#! Specifies a secret to be used when pulling the above `image_repo` container image.
|
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
|
||||||
#! Can be used when the above image_repo is a private registry.
|
#@ Can be used when the above image_repo is a private registry. \
|
||||||
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
|
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data['.dockerconfigjson']' \
|
||||||
#! Optional.
|
#@ Optional."
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
#@schema/desc image_pull_dockerconfigjson_desc
|
||||||
|
#@schema/nullable
|
||||||
|
image_pull_dockerconfigjson: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
|
||||||
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
run_as_user: 65532
|
||||||
|
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
|
run_as_group: 65532
|
||||||
|
@ -1,39 +1,50 @@
|
|||||||
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
#@data/values
|
#@data/values-schema
|
||||||
---
|
---
|
||||||
|
#@schema/desc "Name of pinniped-supervisor."
|
||||||
app_name: pinniped-supervisor
|
app_name: pinniped-supervisor
|
||||||
|
|
||||||
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
|
||||||
namespace: pinniped-supervisor
|
namespace: pinniped-supervisor
|
||||||
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
|
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
|
||||||
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
|
||||||
into_namespace: #! e.g. my-preexisting-namespace
|
#@schema/desc into_namespace_desc
|
||||||
|
#@schema/nullable
|
||||||
|
into_namespace: my-preexisting-namespace
|
||||||
|
|
||||||
#! All resources created statically by yaml at install-time and all resources created dynamically
|
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
|
||||||
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
|
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
|
||||||
#! specified here. The value of `custom_labels` must be a map of string keys to string values.
|
#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
|
||||||
#! The app can be uninstalled either by:
|
#@ The app can be uninstalled either by: \
|
||||||
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
|
#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
|
||||||
#! resources that were dynamically created by controllers at runtime
|
#@ resources that were dynamically created by controllers at runtime \
|
||||||
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
|
#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
|
||||||
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
#@schema/desc custom_labels_desc
|
||||||
|
#@schema/type any=True
|
||||||
|
custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
||||||
|
|
||||||
#! Specify how many replicas of the Pinniped server to run.
|
#@schema/desc "Specify how many replicas of the Pinniped server to run."
|
||||||
replicas: 2
|
replicas: 2
|
||||||
|
|
||||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
#@schema/nullable
|
||||||
|
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
image_tag: latest
|
image_tag: latest
|
||||||
|
|
||||||
#! Specifies a secret to be used when pulling the above `image_repo` container image.
|
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
|
||||||
#! Can be used when the above image_repo is a private registry.
|
#@ Can be used when the above image_repo is a private registry. \
|
||||||
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
|
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=\"USERNAME\" --docker-password=\"PASSWORD\" --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]' \
|
||||||
#! Optional.
|
#@ Optional."
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
#! base64 encoded: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
#! result: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==
|
||||||
|
#@schema/desc image_pull_dockerconfigjson_desc
|
||||||
|
#@schema/nullable
|
||||||
|
image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
|
||||||
|
|
||||||
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
|
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
|
||||||
#! Typically, you would set a value for only one of the following service types.
|
#! Typically, you would set a value for only one of the following service types.
|
||||||
@ -41,43 +52,70 @@ image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"
|
|||||||
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
|
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
|
||||||
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
|
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
|
||||||
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
|
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
|
||||||
deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
|
#@schema/desc "will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`"
|
||||||
deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
|
#@schema/nullable
|
||||||
deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
deprecated_service_http_nodeport_port: 31234
|
||||||
deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
#@schema/desc "will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified"
|
||||||
service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
|
#@schema/nullable
|
||||||
service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
|
deprecated_service_http_nodeport_nodeport: 31234
|
||||||
service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
#@schema/desc "will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
|
||||||
service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
#@schema/nullable
|
||||||
#! The `loadBalancerIP` value of the LoadBalancer Service.
|
deprecated_service_http_loadbalancer_port: 8443
|
||||||
#! Ignored unless service_https_loadbalancer_port is provided.
|
#@schema/desc "#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
|
||||||
#! Optional.
|
#@schema/nullable
|
||||||
service_loadbalancer_ip: #! e.g. 1.2.3.4
|
deprecated_service_http_clusterip_port: 8443
|
||||||
|
#@schema/desc "#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_nodeport_port: 31243
|
||||||
|
#@schema/desc "#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_nodeport_nodeport: 31243
|
||||||
|
#@schema/desc "#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_loadbalancer_port: 8443
|
||||||
|
#@schema/desc "#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_clusterip_port: 8443
|
||||||
|
#@ service_loadbalancer_ip_desc="The `loadBalancerIP` value of the LoadBalancer Service. \
|
||||||
|
#@ Ignored unless service_https_loadbalancer_port is provided."
|
||||||
|
#@schema/desc service_loadbalancer_ip_desc
|
||||||
|
#@schema/nullable
|
||||||
|
service_loadbalancer_ip: 1.2.3.4
|
||||||
|
|
||||||
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
||||||
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
||||||
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
|
||||||
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
|
#@schema/nullable
|
||||||
#! By default, when this value is left unset, logs are formatted in json.
|
log_level: info
|
||||||
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
|
#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
|
||||||
deprecated_log_format:
|
#@ By default, when this value is left unset, logs are formatted in json. \
|
||||||
|
#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
|
||||||
|
#@schema/desc deprecated_log_format_desc
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_log_format: json
|
||||||
|
|
||||||
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
run_as_user: 65532
|
||||||
|
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
|
run_as_group: 65532
|
||||||
|
|
||||||
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
|
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
|
||||||
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
|
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
|
||||||
#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
|
#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
|
||||||
#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
|
||||||
|
#@schema/desc api_group_suffix_desc
|
||||||
api_group_suffix: pinniped.dev
|
api_group_suffix: pinniped.dev
|
||||||
|
|
||||||
#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
|
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
|
||||||
#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
|
#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
|
||||||
#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
|
#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
|
||||||
#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
|
#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
|
||||||
#! Optional.
|
#@ Optional."
|
||||||
https_proxy: #! e.g. http://proxy.example.com
|
#@schema/desc https_proxy_desc
|
||||||
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
#@schema/nullable
|
||||||
|
https_proxy: http://proxy.example.com
|
||||||
|
#@schema/desc "do not proxy Kubernetes endpoints"
|
||||||
|
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
|
||||||
|
|
||||||
#! Control the HTTP and HTTPS listeners of the Supervisor.
|
#! Control the HTTP and HTTPS listeners of the Supervisor.
|
||||||
#!
|
#!
|
||||||
@ -118,16 +156,22 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
|
|||||||
#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
|
#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
|
||||||
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
|
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
|
||||||
#!
|
#!
|
||||||
#! Optional.
|
#@schema/desc "Control the HTTP and HTTPS listeners of the Supervisor."
|
||||||
|
#@schema/nullable
|
||||||
endpoints:
|
endpoints:
|
||||||
|
https:
|
||||||
|
network: tcp
|
||||||
|
address: 1.2.3.4:5678
|
||||||
|
|
||||||
#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
|
#! deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints. \
|
||||||
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
|
#! http value which checks that only loopback interfaces are used. \
|
||||||
#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced
|
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any \
|
||||||
#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time
|
#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced \
|
||||||
#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods.
|
#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time \
|
||||||
#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time
|
#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods. \
|
||||||
#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available.
|
#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time \
|
||||||
#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false.
|
#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available. \
|
||||||
#! Optional.
|
#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false. \
|
||||||
|
#! Optional."
|
||||||
|
#@schema/desc https_proxy_desc
|
||||||
deprecated_insecure_accept_external_unencrypted_http_requests: false
|
deprecated_insecure_accept_external_unencrypted_http_requests: false
|
||||||
|
12
deploy_carvel/.gitignore
vendored
Normal file
12
deploy_carvel/.gitignore
vendored
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# package_repository/packages/{pkg}/ contains specific SHAs of images
|
||||||
|
# we are using 0.0.0- to indicate dev versions of images
|
||||||
|
*0.0.0*
|
||||||
|
|
||||||
|
# installation artifacts will be generated here
|
||||||
|
deploy_carvel/deploy/
|
||||||
|
|
||||||
|
# images.yml files contain specific SHAs of images
|
||||||
|
concierge/.imgpkg/images.yml
|
||||||
|
supervisor/.imgpkg/images.yml
|
||||||
|
local-user-authenticator/.imgpkg/images.yml
|
||||||
|
package_repository/.imgpkg/images.yml
|
10
deploy_carvel/README.md
Normal file
10
deploy_carvel/README.md
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# Deployment via Carvel Packages
|
||||||
|
|
||||||
|
The Carvel Package deployment method can be exercised via the following invocation:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
|
||||||
|
--clean \
|
||||||
|
--alternate-deploy ./hack/noop.sh \
|
||||||
|
--post-install ./hack/build-carvel-packages.sh
|
||||||
|
```
|
1
deploy_carvel/concierge/.gitignore
vendored
Normal file
1
deploy_carvel/concierge/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
config/
|
16
deploy_carvel/concierge/README.md
Normal file
16
deploy_carvel/concierge/README.md
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# Pinniped Concierge Deployment
|
||||||
|
|
||||||
|
See [the how-to guide for details](https://pinniped.dev/docs/howto/concierge/).
|
||||||
|
|
||||||
|
The Carvel Package deployment method can be exercised via the following invocation:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
|
||||||
|
--clean \
|
||||||
|
--alternate-deploy ./hack/noop.sh \
|
||||||
|
--post-install ./hack/build-carvel-packages.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## In this directory:
|
||||||
|
|
||||||
|
- `vendir` is used to copy the <root>/deploy/concierge ytt files to <root>/deploy_carvel/concierge/config.
|
4
deploy_carvel/concierge/build.yml
Normal file
4
deploy_carvel/concierge/build.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
apiVersion: kbld.k14s.io/v1alpha1
|
||||||
|
kind: Config
|
||||||
|
minimumRequiredVersion: 0.31.0
|
||||||
|
overrides:
|
10
deploy_carvel/concierge/metadata.yml
Normal file
10
deploy_carvel/concierge/metadata.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageMetadata
|
||||||
|
metadata:
|
||||||
|
name: concierge.pinniped.dev
|
||||||
|
spec:
|
||||||
|
displayName: "Pinniped Concierge"
|
||||||
|
longDescription: "Pinniped concierge enables consistent login across Kubernetes clusters on public cloud providers such as AKS, EKS and GKE"
|
||||||
|
shortDescription: "Pinniped concierge enables consistent login across public clouds"
|
||||||
|
categories:
|
||||||
|
- auth
|
29
deploy_carvel/concierge/package-template.yml
Normal file
29
deploy_carvel/concierge/package-template.yml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
#@ load("@ytt:data", "data") # for reading data values (generated via ytt's data-values-schema-inspect mode).
|
||||||
|
#@ load("@ytt:yaml", "yaml") # for dynamically decoding the output of ytt's data-values-schema-inspect
|
||||||
|
---
|
||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: Package
|
||||||
|
metadata:
|
||||||
|
name: #@ "concierge.pinniped.dev." + data.values.version
|
||||||
|
spec:
|
||||||
|
refName: concierge.pinniped.dev
|
||||||
|
version: #@ data.values.version
|
||||||
|
releaseNotes: |
|
||||||
|
Initial release of the pinniped concierge package, TODO: AUTOMATE THIS??
|
||||||
|
valuesSchema:
|
||||||
|
openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
fetch:
|
||||||
|
- imgpkgBundle:
|
||||||
|
image: #@ data.values.repo_host + ":" + data.values.version
|
||||||
|
template:
|
||||||
|
- ytt:
|
||||||
|
paths:
|
||||||
|
- "config/"
|
||||||
|
- kbld:
|
||||||
|
paths:
|
||||||
|
- ".imgpkg/images.yml"
|
||||||
|
- "-"
|
||||||
|
deploy:
|
||||||
|
- kapp: {}
|
137
deploy_carvel/concierge/schema-openapi.yaml
Normal file
137
deploy_carvel/concierge/schema-openapi.yaml
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
openapi: 3.0.0
|
||||||
|
info:
|
||||||
|
version: 0.1.0
|
||||||
|
title: Schema for data values, generated by ytt
|
||||||
|
paths: {}
|
||||||
|
components:
|
||||||
|
schemas:
|
||||||
|
dataValues:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
app_name:
|
||||||
|
type: string
|
||||||
|
description: Name of pinniped-concierge.
|
||||||
|
default: pinniped-concierge
|
||||||
|
namespace:
|
||||||
|
type: string
|
||||||
|
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
||||||
|
default: pinniped-concierge
|
||||||
|
into_namespace:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
||||||
|
default: null
|
||||||
|
custom_labels:
|
||||||
|
nullable: true
|
||||||
|
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
|
||||||
|
default: {}
|
||||||
|
replicas:
|
||||||
|
type: integer
|
||||||
|
description: Specify how many replicas of the Pinniped server to run.
|
||||||
|
default: 2
|
||||||
|
image_repo:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
image_digest:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: null
|
||||||
|
image_tag:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: latest
|
||||||
|
kube_cert_agent_image:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
|
||||||
|
default: null
|
||||||
|
image_pull_dockerconfigjson:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
|
||||||
|
default: null
|
||||||
|
discovery_url:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
|
||||||
|
default: null
|
||||||
|
api_serving_certificate_duration_seconds:
|
||||||
|
type: integer
|
||||||
|
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
|
||||||
|
default: 2592000
|
||||||
|
api_serving_certificate_renew_before_seconds:
|
||||||
|
type: integer
|
||||||
|
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
|
||||||
|
default: 2160000
|
||||||
|
log_level:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
||||||
|
default: null
|
||||||
|
deprecated_log_format:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
|
||||||
|
default: null
|
||||||
|
run_as_user:
|
||||||
|
type: integer
|
||||||
|
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
run_as_group:
|
||||||
|
type: integer
|
||||||
|
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
api_group_suffix:
|
||||||
|
type: string
|
||||||
|
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
||||||
|
default: pinniped.dev
|
||||||
|
impersonation_proxy_spec:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
|
||||||
|
properties:
|
||||||
|
mode:
|
||||||
|
type: string
|
||||||
|
description: If enabled, the impersonation proxy will always run regardless of other strategies available.
|
||||||
|
default: auto
|
||||||
|
external_endpoint:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
|
||||||
|
default: null
|
||||||
|
service:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
description: The impersonation proxy service configuration
|
||||||
|
properties:
|
||||||
|
type:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
|
||||||
|
default: null
|
||||||
|
annotations:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
|
||||||
|
properties:
|
||||||
|
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
|
||||||
|
type: string
|
||||||
|
default: "4000"
|
||||||
|
load_balancer_ip:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
|
||||||
|
default: null
|
||||||
|
https_proxy:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
|
||||||
|
default: null
|
||||||
|
no_proxy:
|
||||||
|
type: string
|
||||||
|
description: do not proxy Kubernetes endpoints
|
||||||
|
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
|
155
deploy_carvel/concierge/schema-openapi.yml
Normal file
155
deploy_carvel/concierge/schema-openapi.yml
Normal file
@ -0,0 +1,155 @@
|
|||||||
|
openapi: 3.0.0
|
||||||
|
info:
|
||||||
|
version: 0.1.0
|
||||||
|
title: Schema for data values, generated by ytt
|
||||||
|
paths: {}
|
||||||
|
components:
|
||||||
|
schemas:
|
||||||
|
dataValues:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
app_name:
|
||||||
|
type: string
|
||||||
|
description: Name of pinniped-concierge.
|
||||||
|
default: pinniped-concierge
|
||||||
|
namespace:
|
||||||
|
type: string
|
||||||
|
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
||||||
|
default: pinniped-concierge
|
||||||
|
into_namespace:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
||||||
|
default: null
|
||||||
|
custom_labels:
|
||||||
|
nullable: true
|
||||||
|
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
|
||||||
|
default: null
|
||||||
|
replicas:
|
||||||
|
type: integer
|
||||||
|
description: Specify how many replicas of the Pinniped server to run.
|
||||||
|
default: 2
|
||||||
|
image_repo:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
image_digest:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: null
|
||||||
|
image_tag:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: latest
|
||||||
|
kube_cert_agent_image:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
|
||||||
|
default: null
|
||||||
|
image_pull_dockerconfigjson:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
|
||||||
|
properties:
|
||||||
|
auths:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
https://registry.example.com:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
username:
|
||||||
|
type: string
|
||||||
|
default: USERNAME
|
||||||
|
password:
|
||||||
|
type: string
|
||||||
|
default: PASSWORD
|
||||||
|
auth:
|
||||||
|
type: string
|
||||||
|
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
|
||||||
|
discovery_url:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
|
||||||
|
default: null
|
||||||
|
api_serving_certificate_duration_seconds:
|
||||||
|
type: integer
|
||||||
|
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
|
||||||
|
default: 2592000
|
||||||
|
api_serving_certificate_renew_before_seconds:
|
||||||
|
type: integer
|
||||||
|
description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
|
||||||
|
default: 2160000
|
||||||
|
log_level:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
||||||
|
default: null
|
||||||
|
deprecated_log_format:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
|
||||||
|
default: null
|
||||||
|
run_as_user:
|
||||||
|
type: integer
|
||||||
|
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
run_as_group:
|
||||||
|
type: integer
|
||||||
|
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
api_group_suffix:
|
||||||
|
type: string
|
||||||
|
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
||||||
|
default: pinniped.dev
|
||||||
|
impersonation_proxy_spec:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
|
||||||
|
properties:
|
||||||
|
mode:
|
||||||
|
type: string
|
||||||
|
description: If enabled, the impersonation proxy will always run regardless of other strategies available.
|
||||||
|
default: auto
|
||||||
|
external_endpoint:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
|
||||||
|
default: null
|
||||||
|
service:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
description: The impersonation proxy service configuration
|
||||||
|
properties:
|
||||||
|
type:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
|
||||||
|
default: null
|
||||||
|
annotations:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
|
||||||
|
properties:
|
||||||
|
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
|
||||||
|
type: string
|
||||||
|
default: "4000"
|
||||||
|
load_balancer_ip:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
|
||||||
|
default: null
|
||||||
|
https_proxy:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
|
||||||
|
default: null
|
||||||
|
no_proxy:
|
||||||
|
type: string
|
||||||
|
description: do not proxy Kubernetes endpoints
|
||||||
|
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
|
7
deploy_carvel/concierge/vendir.lock.yml
Normal file
7
deploy_carvel/concierge/vendir.lock.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
apiVersion: vendir.k14s.io/v1alpha1
|
||||||
|
directories:
|
||||||
|
- contents:
|
||||||
|
- directory: {}
|
||||||
|
path: .
|
||||||
|
path: config
|
||||||
|
kind: LockConfig
|
8
deploy_carvel/concierge/vendir.yml
Normal file
8
deploy_carvel/concierge/vendir.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
apiVersion: vendir.k14s.io/v1alpha1
|
||||||
|
kind: Config
|
||||||
|
directories:
|
||||||
|
- path: config
|
||||||
|
contents:
|
||||||
|
- path: .
|
||||||
|
directory:
|
||||||
|
path: ../../deploy/concierge
|
27
deploy_carvel/deploy/local-user-authenticator-pkginstall.yml
Normal file
27
deploy_carvel/deploy/local-user-authenticator-pkginstall.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
---
|
||||||
|
apiVersion: packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageInstall
|
||||||
|
metadata:
|
||||||
|
# name, does not have to be versioned, versionSelection.constraints below will handle
|
||||||
|
name: "local-user-authenticator-package-install"
|
||||||
|
namespace: "local-user-authenticator-install-ns"
|
||||||
|
spec:
|
||||||
|
serviceAccountName: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
|
||||||
|
packageRef:
|
||||||
|
refName: "local-user-authenticator.pinniped.dev"
|
||||||
|
versionSelection:
|
||||||
|
constraints: "0.0.0-7E26B8EF-A4D6-4020-83E8-EAF8F3D1533F"
|
||||||
|
values:
|
||||||
|
- secretRef:
|
||||||
|
name: "local-user-authenticator-package-install-secret"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: "local-user-authenticator-package-install-secret"
|
||||||
|
namespace: "local-user-authenticator-install-ns"
|
||||||
|
stringData:
|
||||||
|
values.yml: |
|
||||||
|
---
|
||||||
|
image_repo: kind-registry.local:5000/test/build
|
||||||
|
image_tag: 0.0.0-7E26B8EF-A4D6-4020-83E8-EAF8F3D1533F
|
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: "concierge-install-ns"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous"
|
||||||
|
namespace: "concierge-install-ns"
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-concierge-role-superadmin-dangerous"
|
||||||
|
namespace: "concierge-install-ns"
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["*"]
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["*"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-concierge-role-binding-superadmin-dangerous"
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous"
|
||||||
|
namespace: "concierge-install-ns"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: "pinniped-package-rbac-concierge-role-superadmin-dangerous"
|
||||||
|
|
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: "local-user-authenticator-install-ns"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
|
||||||
|
namespace: "local-user-authenticator-install-ns"
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-local-user-authenticator-role-superadmin-dangerous"
|
||||||
|
namespace: "local-user-authenticator-install-ns"
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["*"]
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["*"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-local-user-authenticator-role-binding-superadmin-dangerous"
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
|
||||||
|
namespace: "local-user-authenticator-install-ns"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: "pinniped-package-rbac-local-user-authenticator-role-superadmin-dangerous"
|
||||||
|
|
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: "supervisor-install-ns"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous"
|
||||||
|
namespace: "supervisor-install-ns"
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous"
|
||||||
|
namespace: "supervisor-install-ns"
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["*"]
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["*"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "pinniped-package-rbac-supervisor-role-binding-superadmin-dangerous"
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous"
|
||||||
|
namespace: "supervisor-install-ns"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous"
|
||||||
|
|
1
deploy_carvel/local-user-authenticator/.gitignore
vendored
Normal file
1
deploy_carvel/local-user-authenticator/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
config/
|
17
deploy_carvel/local-user-authenticator/README.md
Normal file
17
deploy_carvel/local-user-authenticator/README.md
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# local-user-authenticator
|
||||||
|
|
||||||
|
The local-user-authenticator is a component used for testing Pinniped and is not a production component.
|
||||||
|
See [Application main functions](https://pinniped.dev/docs/reference/code-walkthrough/#application-main-functions) for a brief description.
|
||||||
|
|
||||||
|
The Carvel Package deployment method can be exercised via the following invocation:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
|
||||||
|
--clean \
|
||||||
|
--alternate-deploy ./hack/noop.sh \
|
||||||
|
--post-install ./hack/build-carvel-packages.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## In this directory:
|
||||||
|
|
||||||
|
- `vendir` is used to copy the <root>/deploy/local-user-authenticator ytt files to <root>/deploy_carvel/local-user-authenticator/config.
|
4
deploy_carvel/local-user-authenticator/build.yml
Normal file
4
deploy_carvel/local-user-authenticator/build.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
apiVersion: kbld.k14s.io/v1alpha1
|
||||||
|
kind: Config
|
||||||
|
minimumRequiredVersion: 0.31.0
|
||||||
|
overrides:
|
11
deploy_carvel/local-user-authenticator/metadata.yml
Normal file
11
deploy_carvel/local-user-authenticator/metadata.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageMetadata
|
||||||
|
metadata:
|
||||||
|
name: local-user-authenticator.pinniped.dev
|
||||||
|
spec:
|
||||||
|
displayName: "local-user-authenticator"
|
||||||
|
longDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos. Note that this is not recommended for
|
||||||
|
production use."
|
||||||
|
shortDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos."
|
||||||
|
categories:
|
||||||
|
- auth
|
29
deploy_carvel/local-user-authenticator/package-template.yml
Normal file
29
deploy_carvel/local-user-authenticator/package-template.yml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
#@ load("@ytt:data", "data") # for reading data values (generated via ytt's data-values-schema-inspect mode).
|
||||||
|
#@ load("@ytt:yaml", "yaml") # for dynamically decoding the output of ytt's data-values-schema-inspect
|
||||||
|
---
|
||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: Package
|
||||||
|
metadata:
|
||||||
|
name: #@ "local-user-authenticator.pinniped.dev." + data.values.version
|
||||||
|
spec:
|
||||||
|
refName: local-user-authenticator.pinniped.dev
|
||||||
|
version: #@ data.values.version
|
||||||
|
releaseNotes: |
|
||||||
|
Initial release of the local-user-authenticator package, TODO: AUTOMATE THIS??
|
||||||
|
valuesSchema:
|
||||||
|
openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
fetch:
|
||||||
|
- imgpkgBundle:
|
||||||
|
image: #@ data.values.repo_host + ":" + data.values.version
|
||||||
|
template:
|
||||||
|
- ytt:
|
||||||
|
paths:
|
||||||
|
- "config/"
|
||||||
|
- kbld:
|
||||||
|
paths:
|
||||||
|
- ".imgpkg/images.yml"
|
||||||
|
- "-"
|
||||||
|
deploy:
|
||||||
|
- kapp: {}
|
55
deploy_carvel/local-user-authenticator/schema-openapi.yaml
Normal file
55
deploy_carvel/local-user-authenticator/schema-openapi.yaml
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
openapi: 3.0.0
|
||||||
|
info:
|
||||||
|
version: 0.1.0
|
||||||
|
title: Schema for data values, generated by ytt
|
||||||
|
paths: {}
|
||||||
|
components:
|
||||||
|
schemas:
|
||||||
|
dataValues:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
image_repo:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
image_digest:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: null
|
||||||
|
image_tag:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: latest
|
||||||
|
image_pull_dockerconfigjson:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
|
||||||
|
properties:
|
||||||
|
auths:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
https://registry.example.com:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
username:
|
||||||
|
type: string
|
||||||
|
default: USERNAME
|
||||||
|
password:
|
||||||
|
type: string
|
||||||
|
default: PASSWORD
|
||||||
|
auth:
|
||||||
|
type: string
|
||||||
|
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
|
||||||
|
run_as_user:
|
||||||
|
type: integer
|
||||||
|
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
run_as_group:
|
||||||
|
type: integer
|
||||||
|
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
55
deploy_carvel/local-user-authenticator/schema-openapi.yml
Normal file
55
deploy_carvel/local-user-authenticator/schema-openapi.yml
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
openapi: 3.0.0
|
||||||
|
info:
|
||||||
|
version: 0.1.0
|
||||||
|
title: Schema for data values, generated by ytt
|
||||||
|
paths: {}
|
||||||
|
components:
|
||||||
|
schemas:
|
||||||
|
dataValues:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
image_repo:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
image_digest:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: null
|
||||||
|
image_tag:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: latest
|
||||||
|
image_pull_dockerconfigjson:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
|
||||||
|
properties:
|
||||||
|
auths:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
https://registry.example.com:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
username:
|
||||||
|
type: string
|
||||||
|
default: USERNAME
|
||||||
|
password:
|
||||||
|
type: string
|
||||||
|
default: PASSWORD
|
||||||
|
auth:
|
||||||
|
type: string
|
||||||
|
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
|
||||||
|
run_as_user:
|
||||||
|
type: integer
|
||||||
|
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
run_as_group:
|
||||||
|
type: integer
|
||||||
|
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
7
deploy_carvel/local-user-authenticator/vendir.lock.yml
Normal file
7
deploy_carvel/local-user-authenticator/vendir.lock.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
apiVersion: vendir.k14s.io/v1alpha1
|
||||||
|
directories:
|
||||||
|
- contents:
|
||||||
|
- directory: {}
|
||||||
|
path: .
|
||||||
|
path: config
|
||||||
|
kind: LockConfig
|
8
deploy_carvel/local-user-authenticator/vendir.yml
Normal file
8
deploy_carvel/local-user-authenticator/vendir.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
apiVersion: vendir.k14s.io/v1alpha1
|
||||||
|
kind: Config
|
||||||
|
directories:
|
||||||
|
- path: config
|
||||||
|
contents:
|
||||||
|
- path: .
|
||||||
|
directory:
|
||||||
|
path: ../../deploy/local-user-authenticator
|
@ -0,0 +1,10 @@
|
|||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageMetadata
|
||||||
|
metadata:
|
||||||
|
name: concierge.pinniped.dev
|
||||||
|
spec:
|
||||||
|
displayName: "Pinniped Concierge"
|
||||||
|
longDescription: "Pinniped concierge enables consistent login across Kubernetes clusters on public cloud providers such as AKS, EKS and GKE"
|
||||||
|
shortDescription: "Pinniped concierge enables consistent login across public clouds"
|
||||||
|
categories:
|
||||||
|
- auth
|
@ -0,0 +1,11 @@
|
|||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageMetadata
|
||||||
|
metadata:
|
||||||
|
name: local-user-authenticator.pinniped.dev
|
||||||
|
spec:
|
||||||
|
displayName: "local-user-authenticator"
|
||||||
|
longDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos. Note that this is not recommended for
|
||||||
|
production use."
|
||||||
|
shortDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos."
|
||||||
|
categories:
|
||||||
|
- auth
|
@ -0,0 +1,10 @@
|
|||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageMetadata
|
||||||
|
metadata:
|
||||||
|
name: supervisor.pinniped.dev
|
||||||
|
spec:
|
||||||
|
displayName: "Pinniped Supervisor"
|
||||||
|
longDescription: "Pinniped supervisor allows seamless login across one or many Kubernetes clusters including AKS, EKS and GKE"
|
||||||
|
shortDescription: "Pinniped supervisor provides login capabilities"
|
||||||
|
categories:
|
||||||
|
- auth
|
1
deploy_carvel/supervisor/.gitignore
vendored
Normal file
1
deploy_carvel/supervisor/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
config/
|
16
deploy_carvel/supervisor/README.md
Normal file
16
deploy_carvel/supervisor/README.md
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# Pinniped Supervisor Deployment
|
||||||
|
|
||||||
|
See [the how-to guide for details](https://pinniped.dev/docs/howto/install-supervisor/).
|
||||||
|
|
||||||
|
The Carvel Package deployment method can be exercised via the following invocation:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
|
||||||
|
--clean \
|
||||||
|
--alternate-deploy ./hack/noop.sh \
|
||||||
|
--post-install ./hack/build-carvel-packages.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## In this directory:
|
||||||
|
|
||||||
|
- `vendir` is used to copy the <root>/deploy/supervisor ytt files to <root>/deploy_carvel/supervisor/config.
|
4
deploy_carvel/supervisor/build.yml
Normal file
4
deploy_carvel/supervisor/build.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
apiVersion: kbld.k14s.io/v1alpha1
|
||||||
|
kind: Config
|
||||||
|
minimumRequiredVersion: 0.31.0
|
||||||
|
overrides:
|
10
deploy_carvel/supervisor/metadata.yml
Normal file
10
deploy_carvel/supervisor/metadata.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageMetadata
|
||||||
|
metadata:
|
||||||
|
name: supervisor.pinniped.dev
|
||||||
|
spec:
|
||||||
|
displayName: "Pinniped Supervisor"
|
||||||
|
longDescription: "Pinniped supervisor allows seamless login across one or many Kubernetes clusters including AKS, EKS and GKE"
|
||||||
|
shortDescription: "Pinniped supervisor provides login capabilities"
|
||||||
|
categories:
|
||||||
|
- auth
|
29
deploy_carvel/supervisor/package-template.yml
Normal file
29
deploy_carvel/supervisor/package-template.yml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
#@ load("@ytt:data", "data") # for reading data values (generated via ytt's data-values-schema-inspect mode).
|
||||||
|
#@ load("@ytt:yaml", "yaml") # for dynamically decoding the output of ytt's data-values-schema-inspect
|
||||||
|
---
|
||||||
|
apiVersion: data.packaging.carvel.dev/v1alpha1
|
||||||
|
kind: Package
|
||||||
|
metadata:
|
||||||
|
name: #@ "supervisor.pinniped.dev." + data.values.version
|
||||||
|
spec:
|
||||||
|
refName: supervisor.pinniped.dev
|
||||||
|
version: #@ data.values.version
|
||||||
|
releaseNotes: |
|
||||||
|
Initial release of the pinniped supervisor package, TODO: AUTOMATE THIS??
|
||||||
|
valuesSchema:
|
||||||
|
openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
fetch:
|
||||||
|
- imgpkgBundle:
|
||||||
|
image: #@ data.values.repo_host + ":" + data.values.version
|
||||||
|
template:
|
||||||
|
- ytt:
|
||||||
|
paths:
|
||||||
|
- "config/"
|
||||||
|
- kbld:
|
||||||
|
paths:
|
||||||
|
- ".imgpkg/images.yml"
|
||||||
|
- "-"
|
||||||
|
deploy:
|
||||||
|
- kapp: {}
|
146
deploy_carvel/supervisor/schema-openapi.yaml
Normal file
146
deploy_carvel/supervisor/schema-openapi.yaml
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
openapi: 3.0.0
|
||||||
|
info:
|
||||||
|
version: 0.1.0
|
||||||
|
title: Schema for data values, generated by ytt
|
||||||
|
paths: {}
|
||||||
|
components:
|
||||||
|
schemas:
|
||||||
|
dataValues:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
app_name:
|
||||||
|
type: string
|
||||||
|
description: Name of pinniped-supervisor.
|
||||||
|
default: pinniped-supervisor
|
||||||
|
namespace:
|
||||||
|
type: string
|
||||||
|
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
||||||
|
default: pinniped-supervisor
|
||||||
|
into_namespace:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
||||||
|
default: null
|
||||||
|
custom_labels:
|
||||||
|
nullable: true
|
||||||
|
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
|
||||||
|
default: {}
|
||||||
|
replicas:
|
||||||
|
type: integer
|
||||||
|
description: Specify how many replicas of the Pinniped server to run.
|
||||||
|
default: 2
|
||||||
|
image_repo:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
image_digest:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: null
|
||||||
|
image_tag:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: latest
|
||||||
|
image_pull_dockerconfigjson:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
|
||||||
|
default: null
|
||||||
|
deprecated_service_http_nodeport_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
|
||||||
|
default: null
|
||||||
|
deprecated_service_http_nodeport_nodeport:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
|
||||||
|
default: null
|
||||||
|
deprecated_service_http_loadbalancer_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
|
||||||
|
default: null
|
||||||
|
deprecated_service_http_clusterip_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_https_nodeport_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_https_nodeport_nodeport:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
|
||||||
|
default: null
|
||||||
|
service_https_loadbalancer_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_https_clusterip_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_loadbalancer_ip:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
|
||||||
|
default: null
|
||||||
|
log_level:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
||||||
|
default: null
|
||||||
|
deprecated_log_format:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
|
||||||
|
default: null
|
||||||
|
run_as_user:
|
||||||
|
type: integer
|
||||||
|
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
run_as_group:
|
||||||
|
type: integer
|
||||||
|
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
api_group_suffix:
|
||||||
|
type: string
|
||||||
|
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
||||||
|
default: pinniped.dev
|
||||||
|
https_proxy:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
|
||||||
|
default: null
|
||||||
|
no_proxy:
|
||||||
|
type: string
|
||||||
|
description: do not proxy Kubernetes endpoints
|
||||||
|
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
|
||||||
|
endpoints:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: Control the HTTP and HTTPS listeners of the Supervisor.
|
||||||
|
properties:
|
||||||
|
https:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
network:
|
||||||
|
type: string
|
||||||
|
default: tcp
|
||||||
|
address:
|
||||||
|
type: string
|
||||||
|
default: 1.2.3.4:5678
|
||||||
|
deprecated_insecure_accept_external_unencrypted_http_requests:
|
||||||
|
type: boolean
|
||||||
|
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
|
||||||
|
default: false
|
164
deploy_carvel/supervisor/schema-openapi.yml
Normal file
164
deploy_carvel/supervisor/schema-openapi.yml
Normal file
@ -0,0 +1,164 @@
|
|||||||
|
openapi: 3.0.0
|
||||||
|
info:
|
||||||
|
version: 0.1.0
|
||||||
|
title: Schema for data values, generated by ytt
|
||||||
|
paths: {}
|
||||||
|
components:
|
||||||
|
schemas:
|
||||||
|
dataValues:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
app_name:
|
||||||
|
type: string
|
||||||
|
description: Name of pinniped-supervisor.
|
||||||
|
default: pinniped-supervisor
|
||||||
|
namespace:
|
||||||
|
type: string
|
||||||
|
description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
||||||
|
default: pinniped-supervisor
|
||||||
|
into_namespace:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
||||||
|
default: null
|
||||||
|
custom_labels:
|
||||||
|
nullable: true
|
||||||
|
description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
|
||||||
|
default: null
|
||||||
|
replicas:
|
||||||
|
type: integer
|
||||||
|
description: Specify how many replicas of the Pinniped server to run.
|
||||||
|
default: 2
|
||||||
|
image_repo:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
image_digest:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: null
|
||||||
|
image_tag:
|
||||||
|
type: string
|
||||||
|
description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
|
default: latest
|
||||||
|
image_pull_dockerconfigjson:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
|
||||||
|
properties:
|
||||||
|
auths:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
https://registry.example.com:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
username:
|
||||||
|
type: string
|
||||||
|
default: USERNAME
|
||||||
|
password:
|
||||||
|
type: string
|
||||||
|
default: PASSWORD
|
||||||
|
auth:
|
||||||
|
type: string
|
||||||
|
default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
|
||||||
|
deprecated_service_http_nodeport_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
|
||||||
|
default: null
|
||||||
|
deprecated_service_http_nodeport_nodeport:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
|
||||||
|
default: null
|
||||||
|
deprecated_service_http_loadbalancer_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
|
||||||
|
default: null
|
||||||
|
deprecated_service_http_clusterip_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_https_nodeport_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_https_nodeport_nodeport:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
|
||||||
|
default: null
|
||||||
|
service_https_loadbalancer_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_https_clusterip_port:
|
||||||
|
type: integer
|
||||||
|
nullable: true
|
||||||
|
description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
|
||||||
|
default: null
|
||||||
|
service_loadbalancer_ip:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
|
||||||
|
default: null
|
||||||
|
log_level:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
||||||
|
default: null
|
||||||
|
deprecated_log_format:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
|
||||||
|
default: null
|
||||||
|
run_as_user:
|
||||||
|
type: integer
|
||||||
|
description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
run_as_group:
|
||||||
|
type: integer
|
||||||
|
description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
|
default: 65532
|
||||||
|
api_group_suffix:
|
||||||
|
type: string
|
||||||
|
description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
||||||
|
default: pinniped.dev
|
||||||
|
https_proxy:
|
||||||
|
type: string
|
||||||
|
nullable: true
|
||||||
|
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
|
||||||
|
default: null
|
||||||
|
no_proxy:
|
||||||
|
type: string
|
||||||
|
description: do not proxy Kubernetes endpoints
|
||||||
|
default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
|
||||||
|
endpoints:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
nullable: true
|
||||||
|
description: Control the HTTP and HTTPS listeners of the Supervisor.
|
||||||
|
properties:
|
||||||
|
https:
|
||||||
|
type: object
|
||||||
|
additionalProperties: false
|
||||||
|
properties:
|
||||||
|
network:
|
||||||
|
type: string
|
||||||
|
default: tcp
|
||||||
|
address:
|
||||||
|
type: string
|
||||||
|
default: 1.2.3.4:5678
|
||||||
|
deprecated_insecure_accept_external_unencrypted_http_requests:
|
||||||
|
type: boolean
|
||||||
|
description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
|
||||||
|
default: false
|
7
deploy_carvel/supervisor/vendir.lock.yml
Normal file
7
deploy_carvel/supervisor/vendir.lock.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
apiVersion: vendir.k14s.io/v1alpha1
|
||||||
|
directories:
|
||||||
|
- contents:
|
||||||
|
- directory: {}
|
||||||
|
path: .
|
||||||
|
path: config
|
||||||
|
kind: LockConfig
|
8
deploy_carvel/supervisor/vendir.yml
Normal file
8
deploy_carvel/supervisor/vendir.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
apiVersion: vendir.k14s.io/v1alpha1
|
||||||
|
kind: Config
|
||||||
|
directories:
|
||||||
|
- path: config
|
||||||
|
contents:
|
||||||
|
- path: .
|
||||||
|
directory:
|
||||||
|
path: ../../deploy/supervisor
|
435
hack/build-carvel-packages.sh
Executable file
435
hack/build-carvel-packages.sh
Executable file
@ -0,0 +1,435 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
#
|
||||||
|
# This script can be used in conjunction with prepare-for-integration-tests.sh.
|
||||||
|
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
|
||||||
|
# the integration tests script will create a local docker registry and configure kind to use the registry
|
||||||
|
# and will build the Pinniped binary and container image.
|
||||||
|
# This script will then create Carvel Packages for supervisor,concierge and local-user-authenticator.
|
||||||
|
# It will also create a Carvel PackageRepository.
|
||||||
|
# The PackageRepository will be installed on the kind cluster, then PackageInstall resources
|
||||||
|
# will be created to deploy an instance of each of the packages on the cluster.
|
||||||
|
# Once this script has completed, Pinniped can be interacted with as if it had been deployed in the usual way,
|
||||||
|
# for example by running tests or by preparing supervisor for manual interactions:
|
||||||
|
# source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration -run /TestE2EFullIntegration_Browser
|
||||||
|
# hack/prepare-supervisor-on-kind.sh --oidc
|
||||||
|
#
|
||||||
|
# Example usage:
|
||||||
|
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh
|
||||||
|
#
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
#
|
||||||
|
# Helper functions
|
||||||
|
#
|
||||||
|
function log_note() {
|
||||||
|
GREEN='\033[0;32m'
|
||||||
|
NC='\033[0m'
|
||||||
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
||||||
|
echo -e "${GREEN}$*${NC}"
|
||||||
|
else
|
||||||
|
echo "$*"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function log_error() {
|
||||||
|
RED='\033[0;31m'
|
||||||
|
NC='\033[0m'
|
||||||
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
||||||
|
echo -e "🙁${RED} Error: $* ${NC}"
|
||||||
|
else
|
||||||
|
echo ":( Error: $*"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_dependency() {
|
||||||
|
if ! command -v "$1" >/dev/null; then
|
||||||
|
log_error "Missing dependency..."
|
||||||
|
log_error "$2"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||||
|
cd "$pinniped_path" || exit 1
|
||||||
|
|
||||||
|
# arguments provided to scripts called by hack/prepare-for-integration-tests.sh
|
||||||
|
# - app: unimportant, but always first
|
||||||
|
# - tag: uuidgen in hack/prepare-for-integration-tests.sh
|
||||||
|
# if this script is run standalone, then auto-fill with a unique value
|
||||||
|
app=${1:-"undefined"}
|
||||||
|
tag=${2:-$(uuidgen)}
|
||||||
|
|
||||||
|
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" == "" ]]; then
|
||||||
|
log_error "Building the Carvel package requires configuring kind with a local registry."
|
||||||
|
log_error "please set the environment variable PINNIPED_USE_LOCAL_KIND_REGISTRY"
|
||||||
|
log_error "for example:"
|
||||||
|
log_error " PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# TODO: automate the version by release somehow.
|
||||||
|
# the tag is the version in our build scripts, but we will want real versions for releases
|
||||||
|
pinniped_package_version="${tag}" # ie, "0.25.0"
|
||||||
|
|
||||||
|
# core pinniped binaries (concierge, supervisor, local-user-authenticator)
|
||||||
|
# TODO: we can likely just pass in the whole registry_repo_tag from the parent script and be done.
|
||||||
|
# the duplication is unnecessary. This script doesn't ever need to run standalone again.
|
||||||
|
registry="kind-registry.local:5000"
|
||||||
|
repo="test/build"
|
||||||
|
registry_repo="$registry/$repo"
|
||||||
|
registry_repo_tag="${registry_repo}:${tag}"
|
||||||
|
|
||||||
|
api_group_suffix="pinniped.dev"
|
||||||
|
|
||||||
|
# Package prefix for concierge, supervisor, local-user-authenticator
|
||||||
|
package_repo_prefix="${registry_repo}/package" # + $resource_name + ":" + $tag
|
||||||
|
|
||||||
|
# Pinniped Package repository
|
||||||
|
package_repository_repo="pinniped-package-repository"
|
||||||
|
package_repository_repo_tag="${registry_repo}/${package_repository_repo}:${tag}"
|
||||||
|
|
||||||
|
# carvel
|
||||||
|
log_note "Installing kapp-controller on cluster..."
|
||||||
|
KAPP_CONTROLLER_GLOBAL_NAMESPACE="kapp-controller-packaging-global"
|
||||||
|
kapp deploy --app kapp-controller --file "https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml" -y
|
||||||
|
kubectl get customresourcedefinitions
|
||||||
|
|
||||||
|
# Generate the OpenAPI v3 Schema files, imgpkg images.yml files
|
||||||
|
declare -a arr=("local-user-authenticator" "concierge" "supervisor")
|
||||||
|
for resource_name in "${arr[@]}"
|
||||||
|
do
|
||||||
|
resource_qualified_name="${resource_name}.${api_group_suffix}"
|
||||||
|
package_repo_tag="${package_repo_prefix}-${resource_name}:${tag}"
|
||||||
|
|
||||||
|
resource_dir="deploy_carvel/${resource_name}"
|
||||||
|
resource_config_source_dir="deploy/${resource_name}"
|
||||||
|
resource_destination_dir="deploy_carvel/${resource_name}"
|
||||||
|
resource_config_destination_dir="${resource_destination_dir}/config"
|
||||||
|
|
||||||
|
# these must be real files, not symlinks
|
||||||
|
log_note "Vendir sync deploy directory for ${resource_name} to package bundle..."
|
||||||
|
pushd "${resource_destination_dir}" > /dev/null
|
||||||
|
vendir sync
|
||||||
|
popd > /dev/null
|
||||||
|
|
||||||
|
log_note "Generating OpenAPI v3 schema for ${resource_name}..."
|
||||||
|
ytt \
|
||||||
|
--file "${resource_config_destination_dir}" \
|
||||||
|
--data-values-schema-inspect \
|
||||||
|
--output openapi-v3 > \
|
||||||
|
"${resource_dir}/schema-openapi.yaml"
|
||||||
|
|
||||||
|
log_note "Generating .imgpkg/images.yml for ${resource_name}..."
|
||||||
|
mkdir -p "${resource_dir}/.imgpkg"
|
||||||
|
ytt \
|
||||||
|
--file "${resource_config_destination_dir}" | \
|
||||||
|
kbld -f- --imgpkg-lock-output "${resource_dir}/.imgpkg/images.yml"
|
||||||
|
|
||||||
|
|
||||||
|
log_note "Pushing Pinniped ${resource_name} Package bundle..."
|
||||||
|
imgpkg push --bundle "${package_repo_tag}" --file "${resource_dir}"
|
||||||
|
# validation flag?
|
||||||
|
log_note "Validating ${resource_name} Package bundle not empty (/tmp/${package_repo_tag})..."
|
||||||
|
imgpkg pull --bundle "${package_repo_tag}" --output "/tmp/${package_repo_tag}"
|
||||||
|
|
||||||
|
|
||||||
|
log_note "Generating PackageRepository Package entry for ${resource_name}"
|
||||||
|
# publish package versions to package repository
|
||||||
|
package_repository_dir="deploy_carvel/package_repository/packages/${resource_qualified_name}"
|
||||||
|
rm -rf "${package_repository_dir}"
|
||||||
|
mkdir "${package_repository_dir}"
|
||||||
|
|
||||||
|
ytt \
|
||||||
|
--file "${resource_dir}/package-template.yml" \
|
||||||
|
--data-value-file openapi="${resource_dir}/schema-openapi.yml" \
|
||||||
|
--data-value repo_host="${package_repo_prefix}-${resource_name}" \
|
||||||
|
--data-value version="${pinniped_package_version}" > "${package_repository_dir}/${pinniped_package_version}.yml"
|
||||||
|
cp "deploy_carvel/${resource_name}/metadata.yml" "${package_repository_dir}/metadata.yml"
|
||||||
|
done
|
||||||
|
|
||||||
|
log_note "Generating .imgpkg/images.yml for Pinniped PackageRepository bundle..."
|
||||||
|
mkdir -p "deploy_carvel/package_repository/.imgpkg"
|
||||||
|
kbld --file "deploy_carvel/package_repository/packages/" --imgpkg-lock-output "deploy_carvel/package_repository/.imgpkg/images.yml"
|
||||||
|
|
||||||
|
log_note "Pushing Pinniped PackageRepository bundle.... "
|
||||||
|
imgpkg push --bundle "${package_repository_repo_tag}" --file "deploy_carvel/package_repository"
|
||||||
|
|
||||||
|
# validation flag?
|
||||||
|
log_note "Validating Pinniped PackageRepository bundle not empty /tmp/${package_repo_tag}..."
|
||||||
|
imgpkg pull --bundle "${package_repository_repo_tag}" --output "/tmp/${package_repository_repo_tag}"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## NOTE: could break apart here at a build and a deploy script.
|
||||||
|
|
||||||
|
log_note "cleaning deploy artifacts..."
|
||||||
|
rm -rf "deploy_carvel/deploy"
|
||||||
|
mkdir "deploy_carvel/deploy"
|
||||||
|
|
||||||
|
log_note "deploying PackageRepository..."
|
||||||
|
pinniped_package_repository_name="pinniped-package-repository"
|
||||||
|
pinniped_package_repository_file="deploy_carvel/deploy/packagerepository.${pinniped_package_version}.yml"
|
||||||
|
echo -n "" > "${pinniped_package_repository_file}"
|
||||||
|
cat <<EOT >> "${pinniped_package_repository_file}"
|
||||||
|
---
|
||||||
|
apiVersion: packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageRepository
|
||||||
|
metadata:
|
||||||
|
name: "${pinniped_package_repository_name}"
|
||||||
|
namespace: "${KAPP_CONTROLLER_GLOBAL_NAMESPACE}"
|
||||||
|
spec:
|
||||||
|
fetch:
|
||||||
|
imgpkgBundle:
|
||||||
|
image: "${package_repository_repo_tag}"
|
||||||
|
EOT
|
||||||
|
|
||||||
|
kapp deploy --app "${pinniped_package_repository_name}" --file "${pinniped_package_repository_file}" -y
|
||||||
|
kapp inspect --app "${pinniped_package_repository_name}" --tree
|
||||||
|
|
||||||
|
|
||||||
|
for resource_name in "${arr[@]}"
|
||||||
|
do
|
||||||
|
log_note "creating PackageInstall and RBAC for ${resource_name}..."
|
||||||
|
|
||||||
|
namespace="${resource_name}-install-ns"
|
||||||
|
pinniped_package_rbac_prefix="pinniped-package-rbac-${resource_name}"
|
||||||
|
pinniped_package_rbac_file="deploy_carvel/deploy/${pinniped_package_rbac_prefix}-${resource_name}-rbac.yml"
|
||||||
|
echo -n "" > "${pinniped_package_rbac_file}"
|
||||||
|
# TODO: will just a Role and RoleBinding work? Just for the target namespace.
|
||||||
|
# - limit this to the LEAST privilege for each of the resources
|
||||||
|
# - and document this for each of the resources.
|
||||||
|
# - and we may need to TEMPLATE the namespace, if pinniped is installed in alt namespaces?
|
||||||
|
cat <<EOF >> "${pinniped_package_rbac_file}"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: "${namespace}"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: "${pinniped_package_rbac_prefix}-sa-superadmin-dangerous"
|
||||||
|
namespace: "${namespace}"
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "${pinniped_package_rbac_prefix}-role-superadmin-dangerous"
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["*"]
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["*"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: "${pinniped_package_rbac_prefix}-role-binding-superadmin-dangerous"
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: "${pinniped_package_rbac_prefix}-sa-superadmin-dangerous"
|
||||||
|
namespace: "${namespace}"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: "${pinniped_package_rbac_prefix}-role-superadmin-dangerous"
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
kapp deploy --app "${pinniped_package_rbac_prefix}" --file "${pinniped_package_rbac_file}" -y
|
||||||
|
done
|
||||||
|
|
||||||
|
# start local-user-authenticator
|
||||||
|
# local-user-authenticator
|
||||||
|
log_note "deploying local-user-authenticator PackageInstall resources..."
|
||||||
|
resource_name="local-user-authenticator"
|
||||||
|
NAMESPACE="${resource_name}-install-ns"
|
||||||
|
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
|
||||||
|
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
|
||||||
|
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
|
||||||
|
SECRET_NAME="${resource_name}-package-install-secret"
|
||||||
|
|
||||||
|
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
|
||||||
|
---
|
||||||
|
apiVersion: packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageInstall
|
||||||
|
metadata:
|
||||||
|
# name, does not have to be versioned, versionSelection.constraints below will handle
|
||||||
|
name: "${resource_name}-package-install"
|
||||||
|
namespace: "${NAMESPACE}"
|
||||||
|
spec:
|
||||||
|
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
|
||||||
|
packageRef:
|
||||||
|
refName: "${RESOURCE_PACKAGE_VERSION}"
|
||||||
|
versionSelection:
|
||||||
|
constraints: "${pinniped_package_version}"
|
||||||
|
values:
|
||||||
|
- secretRef:
|
||||||
|
name: "${SECRET_NAME}"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: "${SECRET_NAME}"
|
||||||
|
namespace: "${NAMESPACE}"
|
||||||
|
stringData:
|
||||||
|
values.yml: |
|
||||||
|
---
|
||||||
|
image_repo: $registry_repo
|
||||||
|
image_tag: $tag
|
||||||
|
EOF
|
||||||
|
|
||||||
|
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
|
||||||
|
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
|
||||||
|
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
|
||||||
|
|
||||||
|
test_username="test-username"
|
||||||
|
test_groups="test-group-0,test-group-1"
|
||||||
|
test_password="$(openssl rand -hex 16)"
|
||||||
|
log_note "Creating test user '$test_username'..."
|
||||||
|
kubectl create secret generic "$test_username" \
|
||||||
|
--namespace local-user-authenticator \
|
||||||
|
--from-literal=groups="$test_groups" \
|
||||||
|
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
|
||||||
|
--dry-run=client \
|
||||||
|
--output yaml |
|
||||||
|
kubectl apply -f -
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# start concierge
|
||||||
|
log_note "deploying concierge PackageInstall resources..."
|
||||||
|
resource_name="concierge"
|
||||||
|
NAMESPACE="${resource_name}-install-ns"
|
||||||
|
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
|
||||||
|
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
|
||||||
|
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
|
||||||
|
SECRET_NAME="${resource_name}-package-install-secret"
|
||||||
|
|
||||||
|
# from prepare-for-integration-tests.sh
|
||||||
|
concierge_app_name="pinniped-concierge"
|
||||||
|
concierge_namespace="concierge"
|
||||||
|
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
|
||||||
|
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
|
||||||
|
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
|
||||||
|
log_level="debug"
|
||||||
|
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
|
||||||
|
---
|
||||||
|
apiVersion: packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageInstall
|
||||||
|
metadata:
|
||||||
|
# name, does not have to be versioned, versionSelection.constraints below will handle
|
||||||
|
name: "${resource_name}-package-install"
|
||||||
|
namespace: "${NAMESPACE}"
|
||||||
|
spec:
|
||||||
|
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
|
||||||
|
packageRef:
|
||||||
|
refName: "${RESOURCE_PACKAGE_VERSION}"
|
||||||
|
versionSelection:
|
||||||
|
constraints: "${pinniped_package_version}"
|
||||||
|
values:
|
||||||
|
- secretRef:
|
||||||
|
name: "${SECRET_NAME}"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: "${SECRET_NAME}"
|
||||||
|
namespace: "${NAMESPACE}"
|
||||||
|
stringData:
|
||||||
|
values.yml: |
|
||||||
|
---
|
||||||
|
app_name: $concierge_app_name
|
||||||
|
namespace: $concierge_namespace
|
||||||
|
api_group_suffix: $api_group_suffix
|
||||||
|
log_level: $log_level
|
||||||
|
custom_labels: $concierge_custom_labels
|
||||||
|
image_repo: $registry_repo
|
||||||
|
image_tag: $tag
|
||||||
|
discovery_url: $discovery_url
|
||||||
|
EOF
|
||||||
|
|
||||||
|
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
|
||||||
|
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
|
||||||
|
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
|
||||||
|
# end concierge
|
||||||
|
|
||||||
|
|
||||||
|
# start supervisor
|
||||||
|
log_note "deploying supervisor PackageInstall resources..."
|
||||||
|
resource_name="supervisor"
|
||||||
|
NAMESPACE="${resource_name}-install-ns"
|
||||||
|
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
|
||||||
|
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
|
||||||
|
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
|
||||||
|
SECRET_NAME="${resource_name}-package-install-secret"
|
||||||
|
|
||||||
|
# from prepare-for-integration-test.sh
|
||||||
|
supervisor_app_name="pinniped-supervisor"
|
||||||
|
supervisor_namespace="supervisor"
|
||||||
|
supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
|
||||||
|
log_level="debug"
|
||||||
|
service_https_nodeport_port="443"
|
||||||
|
service_https_nodeport_nodeport="31243"
|
||||||
|
service_https_clusterip_port="443"
|
||||||
|
cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
|
||||||
|
---
|
||||||
|
apiVersion: packaging.carvel.dev/v1alpha1
|
||||||
|
kind: PackageInstall
|
||||||
|
metadata:
|
||||||
|
# name, does not have to be versioned, versionSelection.constraints below will handle
|
||||||
|
name: "${resource_name}-package-install"
|
||||||
|
namespace: "${NAMESPACE}"
|
||||||
|
spec:
|
||||||
|
serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
|
||||||
|
packageRef:
|
||||||
|
refName: "${RESOURCE_PACKAGE_VERSION}"
|
||||||
|
versionSelection:
|
||||||
|
constraints: "${pinniped_package_version}"
|
||||||
|
values:
|
||||||
|
- secretRef:
|
||||||
|
name: "${SECRET_NAME}"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: "${SECRET_NAME}"
|
||||||
|
namespace: "${NAMESPACE}"
|
||||||
|
stringData:
|
||||||
|
values.yml: |
|
||||||
|
---
|
||||||
|
app_name: $supervisor_app_name
|
||||||
|
namespace: $supervisor_namespace
|
||||||
|
api_group_suffix: $api_group_suffix
|
||||||
|
image_repo: $registry_repo
|
||||||
|
image_tag: $tag
|
||||||
|
log_level: $log_level
|
||||||
|
custom_labels: $supervisor_custom_labels
|
||||||
|
service_https_nodeport_port: $service_https_nodeport_port
|
||||||
|
service_https_nodeport_nodeport: $service_https_nodeport_nodeport
|
||||||
|
service_https_clusterip_port: $service_https_clusterip_port
|
||||||
|
EOF
|
||||||
|
|
||||||
|
KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
|
||||||
|
log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
|
||||||
|
# TODO: does this wait not only for the PackageInstall, but the Package, and its deployments and pods, to be successful? Because we need that.
|
||||||
|
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
|
||||||
|
# end supervisor
|
||||||
|
|
||||||
|
log_note "verifying PackageInstall resources..."
|
||||||
|
kubectl get PackageInstall -A | grep pinniped
|
||||||
|
kubectl get secret -A | grep pinniped
|
||||||
|
|
||||||
|
log_note "listing all package resources (PackageRepository, Package, PackageInstall)..."
|
||||||
|
kubectl get pkgi && kubectl get pkgr && kubectl get pkg
|
||||||
|
|
||||||
|
log_note "listing all kapp cli apps..."
|
||||||
|
kapp ls --all-namespaces
|
||||||
|
|
||||||
|
log_note "listing all kapp-controller apps..."
|
||||||
|
kubectl get app --all-namespaces
|
22
hack/delete-carvel-packages.sh
Normal file
22
hack/delete-carvel-packages.sh
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
#
|
||||||
|
# This script can be used to prepare a kind cluster and deploy the app.
|
||||||
|
# You can call this script again to redeploy the app.
|
||||||
|
# It will also output instructions on how to run the integration.
|
||||||
|
#
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# whats all installed
|
||||||
|
kubectl get pkgr -A && kubectl get pkg -A && kubectl get pkgi -A
|
||||||
|
|
||||||
|
# delete the package installs
|
||||||
|
kubectl delete pkgi concierge-package-install -n concierge-install-ns
|
||||||
|
kubectl delete pkgi supervisor-package-install -n supervisor-install-ns
|
||||||
|
kubectl delete pkgi local-user-authenticator-package-install -n local-user-authenticator-install-ns
|
||||||
|
|
||||||
|
# TODO: clean up the rest also
|
@ -11,7 +11,8 @@ set -euo pipefail
|
|||||||
|
|
||||||
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
|
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
|
||||||
|
|
||||||
source /tmp/integration-test-env
|
|
||||||
|
source "/tmp/integration-test-env"
|
||||||
|
|
||||||
echo -n "PINNIPED_TEST_GOLAND_RUNNER=true;"
|
echo -n "PINNIPED_TEST_GOLAND_RUNNER=true;"
|
||||||
|
|
||||||
|
@ -8,4 +8,11 @@ set -euo pipefail
|
|||||||
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
|
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
|
||||||
cd "${ROOT}"
|
cd "${ROOT}"
|
||||||
|
|
||||||
|
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
|
||||||
|
reg_name='kind-registry.local'
|
||||||
|
docker network disconnect "kind" "${reg_name}" || true
|
||||||
|
docker stop "${reg_name}" || true
|
||||||
|
docker rm "${reg_name}" || true
|
||||||
|
fi
|
||||||
|
|
||||||
kind delete cluster --name pinniped
|
kind delete cluster --name pinniped
|
||||||
|
@ -8,13 +8,60 @@ set -euo pipefail
|
|||||||
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||||
cd "${ROOT}"
|
cd "${ROOT}"
|
||||||
|
|
||||||
if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
|
|
||||||
|
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
|
||||||
|
# create registry container unless it already exists
|
||||||
|
reg_name='kind-registry.local'
|
||||||
|
reg_port='5000'
|
||||||
|
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
|
||||||
|
docker run \
|
||||||
|
-d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
|
||||||
|
registry:2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [[ "${PINNIPED_USE_CONTOUR:-}" != "" && "$PINNIPED_USE_LOCAL_KIND_REGISTRY" != "" ]]; then
|
||||||
|
echo "Adding Contour port mapping and local registry to Kind config."
|
||||||
|
ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
|
||||||
|
-f "${ROOT}/hack/lib/kind-config/contour-overlay.yaml" \
|
||||||
|
-f "${ROOT}/hack/lib/kind-config/kind-registry-overlay.yaml" >/tmp/kind-config.yaml
|
||||||
|
kind create cluster --config /tmp/kind-config.yaml --name pinniped
|
||||||
|
elif [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
|
||||||
echo "Adding Contour port mapping to Kind config."
|
echo "Adding Contour port mapping to Kind config."
|
||||||
ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
|
ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
|
||||||
-f "${ROOT}/hack/lib/kind-config/contour-overlay.yaml" >/tmp/kind-config.yaml
|
-f "${ROOT}/hack/lib/kind-config/contour-overlay.yaml" >/tmp/kind-config.yaml
|
||||||
kind create cluster --config /tmp/kind-config.yaml --name pinniped
|
kind create cluster --config /tmp/kind-config.yaml --name pinniped
|
||||||
|
elif [[ "$PINNIPED_USE_LOCAL_KIND_REGISTRY" != "" ]]; then
|
||||||
|
echo "Adding local registry to Kind config."
|
||||||
|
ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
|
||||||
|
-f "${ROOT}/hack/lib/kind-config/kind-registry-overlay.yaml" >/tmp/kind-config.yaml
|
||||||
|
kind create cluster --config /tmp/kind-config.yaml --name pinniped
|
||||||
else
|
else
|
||||||
# To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.28.0`.
|
# To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.28.0`.
|
||||||
# To debug the kind config, add this option to the command below: `-v 10`
|
# To debug the kind config, add this option to the command below: `-v 10`
|
||||||
kind create cluster --config "hack/lib/kind-config/single-node.yaml" --name pinniped
|
kind create cluster --config "hack/lib/kind-config/single-node.yaml" --name pinniped
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
|
||||||
|
# connect the registry to the cluster network if not already connected
|
||||||
|
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
|
||||||
|
docker network connect "kind" "${reg_name}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Document the local registry
|
||||||
|
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
|
||||||
|
cat <<EOF | kubectl apply -f -
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: local-registry-hosting
|
||||||
|
namespace: kube-public
|
||||||
|
data:
|
||||||
|
localRegistryHosting.v1: |
|
||||||
|
host: "localhost:${reg_port}"
|
||||||
|
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
fi
|
||||||
|
11
hack/lib/kind-config/kind-registry-overlay.yaml
Normal file
11
hack/lib/kind-config/kind-registry-overlay.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
#! Copyright 2023 the Pinniped contributors. All Rights Reserved.
|
||||||
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
#@ load("@ytt:overlay", "overlay")
|
||||||
|
#@overlay/match by=overlay.all
|
||||||
|
---
|
||||||
|
#@overlay/match missing_ok=True
|
||||||
|
containerdConfigPatches:
|
||||||
|
- |-
|
||||||
|
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."kind-registry.local:5000"]
|
||||||
|
endpoint = ["http://kind-registry.local:5000"]
|
45
hack/noop.sh
Executable file
45
hack/noop.sh
Executable file
@ -0,0 +1,45 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# This script is intended to be used with:
|
||||||
|
# - $repo_root/hack/prepare-for-integration-test.sh --alternate-deploy $(pwd)/deploy_carvel/hack/log-args.sh
|
||||||
|
# and originated with the following:
|
||||||
|
# - https://github.com/jvanzyl/pinniped-charts/blob/main/alternate-deploy-helm
|
||||||
|
# along with this PR to pinniped:
|
||||||
|
# - https://github.com/vmware-tanzu/pinniped/pull/1028
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
#
|
||||||
|
# Helper functions
|
||||||
|
#
|
||||||
|
function log_note() {
|
||||||
|
GREEN='\033[0;32m'
|
||||||
|
NC='\033[0m'
|
||||||
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
||||||
|
echo -e "${GREEN}$*${NC}"
|
||||||
|
else
|
||||||
|
echo "$*"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function log_error() {
|
||||||
|
RED='\033[0;31m'
|
||||||
|
NC='\033[0m'
|
||||||
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
||||||
|
echo -e "🙁${RED} Error: $* ${NC}"
|
||||||
|
else
|
||||||
|
echo ":( Error: $*"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_dependency() {
|
||||||
|
if ! command -v "$1" >/dev/null; then
|
||||||
|
log_error "Missing dependency..."
|
||||||
|
log_error "$2"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
app=${1}
|
||||||
|
tag=${2}
|
||||||
|
log_note "noop.sh >>> app: ${app} tag: ${tag}"
|
@ -8,7 +8,15 @@
|
|||||||
# You can call this script again to redeploy the app.
|
# You can call this script again to redeploy the app.
|
||||||
# It will also output instructions on how to run the integration.
|
# It will also output instructions on how to run the integration.
|
||||||
#
|
#
|
||||||
|
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
|
||||||
|
# the script will create a local docker registry and configure kind to use the registry. When building
|
||||||
|
# and installing Pinniped normally this is unnecessary. However, if an alternative build and install approach
|
||||||
|
# is taken, such as via a Carvel packaging mechanism, a local registry might be needed (for example, the
|
||||||
|
# kbld tool requires a registry to resolve images to shas).
|
||||||
|
#
|
||||||
|
# Example usage:
|
||||||
|
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh
|
||||||
|
#
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -55,6 +63,7 @@ alternate_deploy="undefined"
|
|||||||
alternate_deploy_supervisor="undefined"
|
alternate_deploy_supervisor="undefined"
|
||||||
alternate_deploy_concierge="undefined"
|
alternate_deploy_concierge="undefined"
|
||||||
alternate_deploy_local_user_authenticator="undefined"
|
alternate_deploy_local_user_authenticator="undefined"
|
||||||
|
post_install="undefined"
|
||||||
|
|
||||||
# supported variable style:
|
# supported variable style:
|
||||||
# --dockerfile-path ./foo.sh
|
# --dockerfile-path ./foo.sh
|
||||||
@ -140,6 +149,15 @@ while (("$#")); do
|
|||||||
alternate_deploy_local_user_authenticator=$1
|
alternate_deploy_local_user_authenticator=$1
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
--post-install)
|
||||||
|
shift
|
||||||
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
||||||
|
log_error "--post-install requires a script path to be specified"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
post_install=$1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
-*)
|
-*)
|
||||||
log_error "Unsupported flag $1" >&2
|
log_error "Unsupported flag $1" >&2
|
||||||
if [[ "$1" == *"active-directory"* ]]; then
|
if [[ "$1" == *"active-directory"* ]]; then
|
||||||
@ -169,6 +187,7 @@ if [[ "$help" == "yes" ]]; then
|
|||||||
log_note " --alternate-deploy-supervisor: specify an alternate deploy script to install Pinniped Supervisor"
|
log_note " --alternate-deploy-supervisor: specify an alternate deploy script to install Pinniped Supervisor"
|
||||||
log_note " --alternate-deploy-concierge: specify an alternate deploy script to install Pinniped Concierge"
|
log_note " --alternate-deploy-concierge: specify an alternate deploy script to install Pinniped Concierge"
|
||||||
log_note " --alternate-deploy-local-user-authenticator: specify an alternate deploy script to install Pinniped local-user-authenticator"
|
log_note " --alternate-deploy-local-user-authenticator: specify an alternate deploy script to install Pinniped local-user-authenticator"
|
||||||
|
log_note " --post-install: specify an post-install script"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -221,12 +240,34 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
registry="pinniped.local"
|
registry="pinniped.local"
|
||||||
|
registry_with_port="$registry"
|
||||||
|
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
|
||||||
|
registry="kind-registry.local"
|
||||||
|
registry_with_port="$registry:5000"
|
||||||
|
fi
|
||||||
|
|
||||||
repo="test/build"
|
repo="test/build"
|
||||||
registry_repo="$registry/$repo"
|
registry_repo="$registry_with_port/$repo"
|
||||||
tag=$(uuidgen) # always a new tag to force K8s to reload the image on redeploy
|
tag="0.0.0-$(uuidgen)" # always a new tag to force K8s to reload the image on redeploy
|
||||||
|
|
||||||
|
|
||||||
|
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
|
||||||
|
etc_hosts_local_registry_missing=no
|
||||||
|
if ! grep -q "$registry" /etc/hosts; then
|
||||||
|
etc_hosts_local_registry_missing=yes
|
||||||
|
fi
|
||||||
|
if [[ "$etc_hosts_local_registry_missing" == "yes" ]]; then
|
||||||
|
echo
|
||||||
|
log_error "In order to configure the kind cluster to use the local registry properly,"
|
||||||
|
log_error "please run this command to edit /etc/hosts, and then run this script again with the same options."
|
||||||
|
echo "sudo bash -c \"echo '127.0.0.1 $registry' >> /etc/hosts\""
|
||||||
|
log_error "When you are finished with your Kind cluster, you can remove this line from /etc/hosts."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ "$skip_build" == "yes" ]]; then
|
if [[ "$skip_build" == "yes" ]]; then
|
||||||
most_recent_tag=$(docker images "$registry/$repo" --format "{{.Tag}}" | head -1)
|
most_recent_tag=$(docker images "$registry_repo" --format "{{.Tag}}" | head -1)
|
||||||
if [[ -n "$most_recent_tag" ]]; then
|
if [[ -n "$most_recent_tag" ]]; then
|
||||||
tag="$most_recent_tag"
|
tag="$most_recent_tag"
|
||||||
do_build=no
|
do_build=no
|
||||||
@ -253,15 +294,19 @@ if [[ "$do_build" == "yes" ]]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Load it into the cluster
|
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
|
||||||
|
# if registry used, push to the registry
|
||||||
|
log_note "Loading the app's container image into the local registry ($registry_with_port)..."
|
||||||
|
docker push "$registry_repo_tag"
|
||||||
|
else
|
||||||
|
# otherwise side-load directly
|
||||||
log_note "Loading the app's container image into the kind cluster..."
|
log_note "Loading the app's container image into the kind cluster..."
|
||||||
kind load docker-image "$registry_repo_tag" --name pinniped
|
kind load docker-image "$registry_repo_tag" --name pinniped
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
# Deploy local-user-authenticator
|
# Deploy local-user-authenticator
|
||||||
#
|
#
|
||||||
manifest=/tmp/pinniped-local-user-authenticator.yaml
|
manifest=/tmp/pinniped-local-user-authenticator.yaml
|
||||||
|
|
||||||
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_local_user_authenticator" != "undefined" ] ; then
|
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_local_user_authenticator" != "undefined" ] ; then
|
||||||
if [ "$alternate_deploy" != "undefined" ]; then
|
if [ "$alternate_deploy" != "undefined" ]; then
|
||||||
log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag..."
|
log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag..."
|
||||||
@ -280,6 +325,7 @@ else
|
|||||||
|
|
||||||
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
|
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
|
||||||
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
||||||
|
|
||||||
popd >/dev/null
|
popd >/dev/null
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -303,18 +349,6 @@ kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
|||||||
|
|
||||||
popd >/dev/null
|
popd >/dev/null
|
||||||
|
|
||||||
test_username="test-username"
|
|
||||||
test_groups="test-group-0,test-group-1"
|
|
||||||
test_password="$(openssl rand -hex 16)"
|
|
||||||
log_note "Creating test user '$test_username'..."
|
|
||||||
kubectl create secret generic "$test_username" \
|
|
||||||
--namespace local-user-authenticator \
|
|
||||||
--from-literal=groups="$test_groups" \
|
|
||||||
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
|
|
||||||
--dry-run=client \
|
|
||||||
--output yaml |
|
|
||||||
kubectl apply -f -
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Deploy the Pinniped Supervisor
|
# Deploy the Pinniped Supervisor
|
||||||
#
|
#
|
||||||
@ -364,7 +398,6 @@ manifest=/tmp/pinniped-concierge.yaml
|
|||||||
concierge_app_name="pinniped-concierge"
|
concierge_app_name="pinniped-concierge"
|
||||||
concierge_namespace="concierge"
|
concierge_namespace="concierge"
|
||||||
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
|
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
|
||||||
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
|
|
||||||
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
|
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
|
||||||
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
|
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
|
||||||
log_level="debug"
|
log_level="debug"
|
||||||
@ -396,6 +429,38 @@ else
|
|||||||
popd >/dev/null
|
popd >/dev/null
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Call a post-install script
|
||||||
|
# simplifies passing the $tag which may be necessary if the current local build is to be
|
||||||
|
# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
|
||||||
|
# running it after the above also allows appending to the environment variable file
|
||||||
|
if [ "$post_install" != "undefined" ] ; then
|
||||||
|
log_note "The post-install script will be called with $tag..."
|
||||||
|
$post_install post-install-script $tag
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Test user for the authenticator
|
||||||
|
# the authenticator may be deployed in alternative ways (ex. carvel package) but regardless we need a test user.
|
||||||
|
#
|
||||||
|
log_note "Creating test user for local-user-authenticator..."
|
||||||
|
test_username="test-username"
|
||||||
|
test_groups="test-group-0,test-group-1"
|
||||||
|
test_password="$(openssl rand -hex 16)"
|
||||||
|
|
||||||
|
kubectl create secret generic "$test_username" \
|
||||||
|
--namespace local-user-authenticator \
|
||||||
|
--from-literal=groups="$test_groups" \
|
||||||
|
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
|
||||||
|
--dry-run=client \
|
||||||
|
--output yaml |
|
||||||
|
kubectl apply -f -
|
||||||
|
|
||||||
|
#
|
||||||
|
# Regardless of how the local-user-authenticator is installed, we need the webhook bundle in the environment file.
|
||||||
|
#
|
||||||
|
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Download the test CA bundle that was generated in the Dex pod.
|
# Download the test CA bundle that was generated in the Dex pod.
|
||||||
# Note that this returns a base64 encoded value.
|
# Note that this returns a base64 encoded value.
|
||||||
@ -412,7 +477,9 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index
|
|||||||
kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
|
kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
|
||||||
pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
|
pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
|
||||||
|
|
||||||
cat <<EOF >/tmp/integration-test-env
|
env_file_name="/tmp/integration-test-env"
|
||||||
|
|
||||||
|
cat <<EOF >"$env_file_name"
|
||||||
# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
|
# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
|
||||||
export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
|
export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
|
||||||
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
|
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
|
||||||
@ -484,6 +551,7 @@ PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
|
|||||||
export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
|
export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Print instructions for next steps.
|
# Print instructions for next steps.
|
||||||
#
|
#
|
||||||
@ -491,7 +559,7 @@ log_note
|
|||||||
log_note "🚀 Ready to run integration tests! For example..."
|
log_note "🚀 Ready to run integration tests! For example..."
|
||||||
log_note " cd $pinniped_path"
|
log_note " cd $pinniped_path"
|
||||||
log_note " ulimit -n 512"
|
log_note " ulimit -n 512"
|
||||||
log_note ' source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration'
|
log_note " source $env_file_name && go test -v -race -count 1 -timeout 0 ./test/integration"
|
||||||
log_note
|
log_note
|
||||||
log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
|
log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
|
||||||
log_note " hack/integration-test-env-goland.sh | pbcopy"
|
log_note " hack/integration-test-env-goland.sh | pbcopy"
|
||||||
@ -501,3 +569,4 @@ log_note
|
|||||||
log_note "To delete the deployments, run:"
|
log_note "To delete the deployments, run:"
|
||||||
log_note " kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y && kapp delete -a $supervisor_app_name -y"
|
log_note " kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y && kapp delete -a $supervisor_app_name -y"
|
||||||
log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
|
log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
|
||||||
|
log_note
|
||||||
|
@ -98,7 +98,7 @@ if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" && "$use_ad_u
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Read the env vars output by hack/prepare-for-integration-tests.sh
|
# Read the env vars output by hack/prepare-for-integration-tests.sh
|
||||||
source /tmp/integration-test-env
|
source "/tmp/integration-test-env"
|
||||||
|
|
||||||
# Choose some filenames.
|
# Choose some filenames.
|
||||||
root_ca_crt_path=root_ca.crt
|
root_ca_crt_path=root_ca.crt
|
||||||
|
Loading…
Reference in New Issue
Block a user