Compare commits
5 Commits
main
...
ben/deploy
Author | SHA1 | Date | |
---|---|---|---|
|
929280973a | ||
|
a861bb4daa | ||
|
63434b1a8e | ||
|
fcdab498e2 | ||
|
92fa84a277 |
138
deploy/concierge/config/values.yaml
Normal file
138
deploy/concierge/config/values.yaml
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
#@data/values-schema
|
||||||
|
---
|
||||||
|
#@schema/desc "Name of pinniped-concierge."
|
||||||
|
app_name: pinniped-concierge
|
||||||
|
|
||||||
|
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
|
||||||
|
namespace: pinniped-concierge
|
||||||
|
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
|
||||||
|
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
|
||||||
|
#@schema/desc into_namespace_desc
|
||||||
|
#@schema/nullable
|
||||||
|
into_namespace: my-preexisting-namespace
|
||||||
|
|
||||||
|
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
|
||||||
|
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
|
||||||
|
#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
|
||||||
|
#@ The app can be uninstalled either by: \
|
||||||
|
#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
|
||||||
|
#@ resources that were dynamically created by controllers at runtime \
|
||||||
|
#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
|
||||||
|
#@schema/desc custom_labels_desc
|
||||||
|
#@schema/type any=True
|
||||||
|
#@schema/nullable
|
||||||
|
custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
||||||
|
|
||||||
|
#@schema/desc "Specify how many replicas of the Pinniped server to run."
|
||||||
|
replicas: 2
|
||||||
|
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
#@schema/nullable
|
||||||
|
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
image_tag: latest
|
||||||
|
|
||||||
|
#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
|
||||||
|
#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
|
||||||
|
#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
|
||||||
|
#@schema/desc kube_cert_agent_image
|
||||||
|
#@schema/nullable
|
||||||
|
kube_cert_agent_image: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
|
||||||
|
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
|
||||||
|
#@ Can be used when the above image_repo is a private registry. \
|
||||||
|
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data['.dockerconfigjson']' \
|
||||||
|
#@ Optional."
|
||||||
|
#@schema/desc image_pull_dockerconfigjson_desc
|
||||||
|
#@schema/nullable
|
||||||
|
image_pull_dockerconfigjson: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
|
||||||
|
#@schema/desc "Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden."
|
||||||
|
#@schema/nullable
|
||||||
|
discovery_url: https://example.com
|
||||||
|
|
||||||
|
|
||||||
|
#@ api_serving_certificate_desc = "Specify the duration and renewal interval for the API serving certificate. \
|
||||||
|
#@ The defaults are set to expire the cert about every 30 days, and to rotate it \
|
||||||
|
#@ about every 25 days."
|
||||||
|
#@schema/desc api_serving_certificate_desc
|
||||||
|
api_serving_certificate_duration_seconds: 2592000
|
||||||
|
#@schema/desc api_serving_certificate_desc
|
||||||
|
api_serving_certificate_renew_before_seconds: 2160000
|
||||||
|
|
||||||
|
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
||||||
|
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
||||||
|
#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
|
||||||
|
#@schema/nullable
|
||||||
|
log_level: info
|
||||||
|
#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
|
||||||
|
#@ By default, when this value is left unset, logs are formatted in json. \
|
||||||
|
#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
|
||||||
|
#@schema/desc deprecated_log_format_desc
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_log_format: json
|
||||||
|
|
||||||
|
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
|
run_as_user: 65532
|
||||||
|
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
|
run_as_group: 65532
|
||||||
|
|
||||||
|
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
|
||||||
|
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
|
||||||
|
#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
|
||||||
|
#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
|
||||||
|
#@schema/desc api_group_suffix_desc
|
||||||
|
api_group_suffix: pinniped.dev
|
||||||
|
|
||||||
|
|
||||||
|
#@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
|
||||||
|
impersonation_proxy_spec:
|
||||||
|
#! options are "auto", "disabled" or "enabled".
|
||||||
|
#! If auto, the impersonation proxy will run only if the cluster signing key is not available
|
||||||
|
#! and the other strategy does not work.
|
||||||
|
#! If disabled, the impersonation proxy will never run, which could mean that the concierge
|
||||||
|
#! doesn't work at all.
|
||||||
|
#! If enabled, the impersonation proxy will always run regardless of other strategies available.
|
||||||
|
#@schema/desc "If enabled, the impersonation proxy will always run regardless of other strategies available."
|
||||||
|
mode: auto
|
||||||
|
#@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \
|
||||||
|
#@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint."
|
||||||
|
#@schema/desc external_endpoint_desc
|
||||||
|
#@schema/nullable
|
||||||
|
external_endpoint: 1.2.3.4:5678
|
||||||
|
#@schema/desc "The impersonation proxy service configuration"
|
||||||
|
service:
|
||||||
|
#! Options are "LoadBalancer", "ClusterIP" and "None".
|
||||||
|
#! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
|
||||||
|
#! the impersonation proxy. Some cloud providers will allocate
|
||||||
|
#! a public IP address by default even on private clusters.
|
||||||
|
#! ClusterIP automatically provisions a Service of type ClusterIP pointing at the
|
||||||
|
#! impersonation proxy.
|
||||||
|
#! None does not provision either and assumes that you have set the external_endpoint
|
||||||
|
#! and set up your own ingress to connect to the impersonation proxy.
|
||||||
|
#@schema/desc "Options are 'LoadBalancer', 'ClusterIP' and 'None'."
|
||||||
|
#@schema/nullable
|
||||||
|
type: LoadBalancer
|
||||||
|
#@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service."
|
||||||
|
#@schema/nullable
|
||||||
|
annotations:
|
||||||
|
{service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
|
||||||
|
#@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP."
|
||||||
|
#@schema/nullable
|
||||||
|
load_balancer_ip: 1.2.3.4:5678
|
||||||
|
|
||||||
|
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
|
||||||
|
#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
|
||||||
|
#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
|
||||||
|
#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
|
||||||
|
#@ Optional."
|
||||||
|
#@schema/desc https_proxy_desc
|
||||||
|
#@schema/nullable
|
||||||
|
https_proxy: http://proxy.example.com
|
||||||
|
#@schema/desc "do not proxy Kubernetes endpoints"
|
||||||
|
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
@ -1,107 +0,0 @@
|
|||||||
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
|
||||||
|
|
||||||
#@data/values
|
|
||||||
---
|
|
||||||
|
|
||||||
app_name: pinniped-concierge
|
|
||||||
|
|
||||||
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
|
||||||
namespace: pinniped-concierge
|
|
||||||
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
|
|
||||||
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
|
||||||
into_namespace: #! e.g. my-preexisting-namespace
|
|
||||||
|
|
||||||
#! All resources created statically by yaml at install-time and all resources created dynamically
|
|
||||||
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
|
|
||||||
#! specified here. The value of `custom_labels` must be a map of string keys to string values.
|
|
||||||
#! The app can be uninstalled either by:
|
|
||||||
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
|
|
||||||
#! resources that were dynamically created by controllers at runtime
|
|
||||||
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
|
|
||||||
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
|
||||||
|
|
||||||
#! Specify how many replicas of the Pinniped server to run.
|
|
||||||
replicas: 2
|
|
||||||
|
|
||||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
|
||||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
|
||||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
|
||||||
image_tag: latest
|
|
||||||
|
|
||||||
#! Optionally specify a different image for the "kube-cert-agent" pod which is scheduled
|
|
||||||
#! on the control plane. This image needs only to include `sleep` and `cat` binaries.
|
|
||||||
#! By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
|
|
||||||
kube_cert_agent_image:
|
|
||||||
|
|
||||||
#! Specifies a secret to be used when pulling the above `image_repo` container image.
|
|
||||||
#! Can be used when the above image_repo is a private registry.
|
|
||||||
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
|
|
||||||
#! Optional.
|
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
|
||||||
|
|
||||||
#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
|
|
||||||
#! This setting allows the guess to be overridden.
|
|
||||||
#! Optional.
|
|
||||||
discovery_url: #! e.g., https://example.com
|
|
||||||
|
|
||||||
#! Specify the duration and renewal interval for the API serving certificate.
|
|
||||||
#! The defaults are set to expire the cert about every 30 days, and to rotate it
|
|
||||||
#! about every 25 days.
|
|
||||||
api_serving_certificate_duration_seconds: 2592000
|
|
||||||
api_serving_certificate_renew_before_seconds: 2160000
|
|
||||||
|
|
||||||
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer
|
|
||||||
#! information), trace (timing information), all (kitchen sink).
|
|
||||||
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
|
||||||
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
|
|
||||||
#! By default, when this value is left unset, logs are formatted in json.
|
|
||||||
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
|
|
||||||
deprecated_log_format:
|
|
||||||
|
|
||||||
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
|
||||||
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
|
||||||
|
|
||||||
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
|
|
||||||
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
|
|
||||||
#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
|
|
||||||
#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
|
||||||
api_group_suffix: pinniped.dev
|
|
||||||
|
|
||||||
#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge
|
|
||||||
#! handles impersonation.
|
|
||||||
impersonation_proxy_spec:
|
|
||||||
#! options are "auto", "disabled" or "enabled".
|
|
||||||
#! If auto, the impersonation proxy will run only if the cluster signing key is not available
|
|
||||||
#! and the other strategy does not work.
|
|
||||||
#! If disabled, the impersonation proxy will never run, which could mean that the concierge
|
|
||||||
#! doesn't work at all.
|
|
||||||
#! If enabled, the impersonation proxy will always run regardless of other strategies available.
|
|
||||||
mode: auto
|
|
||||||
#! The endpoint which the client should use to connect to the impersonation proxy.
|
|
||||||
#! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer
|
|
||||||
#! endpoint.
|
|
||||||
external_endpoint:
|
|
||||||
service:
|
|
||||||
#! Options are "LoadBalancer", "ClusterIP" and "None".
|
|
||||||
#! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
|
|
||||||
#! the impersonation proxy. Some cloud providers will allocate
|
|
||||||
#! a public IP address by default even on private clusters.
|
|
||||||
#! ClusterIP automatically provisions a Service of type ClusterIP pointing at the
|
|
||||||
#! impersonation proxy.
|
|
||||||
#! None does not provision either and assumes that you have set the external_endpoint
|
|
||||||
#! and set up your own ingress to connect to the impersonation proxy.
|
|
||||||
type: LoadBalancer
|
|
||||||
#! The annotations that should be set on the ClusterIP or LoadBalancer Service.
|
|
||||||
annotations:
|
|
||||||
{service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
|
|
||||||
#! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
|
|
||||||
load_balancer_ip:
|
|
||||||
|
|
||||||
#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers.
|
|
||||||
#! These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS,
|
|
||||||
#! e.g. when the Concierge fetches discovery documents, JWKS keys, and POSTs to token webhooks.
|
|
||||||
#! The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
|
|
||||||
#! Optional.
|
|
||||||
https_proxy: #! e.g. http://proxy.example.com
|
|
||||||
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
|
176
deploy/supervisor/config/values.yaml
Normal file
176
deploy/supervisor/config/values.yaml
Normal file
@ -0,0 +1,176 @@
|
|||||||
|
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||||
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
#@data/values-schema
|
||||||
|
---
|
||||||
|
#@schema/desc "Name of pinniped-supervisor."
|
||||||
|
app_name: pinniped-supervisor
|
||||||
|
|
||||||
|
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
|
||||||
|
namespace: pinniped-supervisor
|
||||||
|
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
|
||||||
|
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
|
||||||
|
#@schema/desc into_namespace_desc
|
||||||
|
#@schema/nullable
|
||||||
|
into_namespace: my-preexisting-namespace
|
||||||
|
|
||||||
|
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
|
||||||
|
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
|
||||||
|
#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
|
||||||
|
#@ The app can be uninstalled either by: \
|
||||||
|
#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
|
||||||
|
#@ resources that were dynamically created by controllers at runtime \
|
||||||
|
#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
|
||||||
|
#@schema/desc custom_labels_desc
|
||||||
|
#@schema/type any=True
|
||||||
|
#@schema/nullable
|
||||||
|
custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
||||||
|
|
||||||
|
#@schema/desc "Specify how many replicas of the Pinniped server to run."
|
||||||
|
replicas: 2
|
||||||
|
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
#@schema/nullable
|
||||||
|
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||||
|
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
|
||||||
|
image_tag: latest
|
||||||
|
|
||||||
|
#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
|
||||||
|
#@ Can be used when the above image_repo is a private registry. \
|
||||||
|
#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data['.dockerconfigjson']' \
|
||||||
|
#@ Optional."
|
||||||
|
#@schema/desc image_pull_dockerconfigjson_desc
|
||||||
|
#@schema/nullable
|
||||||
|
image_pull_dockerconfigjson: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
|
||||||
|
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
|
||||||
|
#! Typically, you would set a value for only one of the following service types.
|
||||||
|
#! Setting any of these values means that a Service of that type will be created. They are all optional.
|
||||||
|
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
|
||||||
|
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
|
||||||
|
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
|
||||||
|
#@schema/desc "will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_service_http_nodeport_port: 31234
|
||||||
|
#@schema/desc "will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified"
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_service_http_nodeport_nodeport: 31234
|
||||||
|
#@schema/desc "will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_service_http_loadbalancer_port: 8443
|
||||||
|
#@schema/desc "#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_service_http_clusterip_port: 8443
|
||||||
|
#@schema/desc "#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_nodeport_port: 31243
|
||||||
|
#@schema/desc "#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_nodeport_nodeport: 31243
|
||||||
|
#@schema/desc "#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_loadbalancer_port: 8443
|
||||||
|
#@schema/desc "#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_clusterip_port: 8443
|
||||||
|
#@ service_loadbalancer_ip_desc="The `loadBalancerIP` value of the LoadBalancer Service. \
|
||||||
|
#@ Ignored unless service_https_loadbalancer_port is provided."
|
||||||
|
#@schema/desc service_loadbalancer_ip_desc
|
||||||
|
#@schema/nullable
|
||||||
|
service_loadbalancer_ip: 1.2.3.4
|
||||||
|
|
||||||
|
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
||||||
|
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
||||||
|
#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
|
||||||
|
#@schema/nullable
|
||||||
|
log_level: info
|
||||||
|
#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
|
||||||
|
#@ By default, when this value is left unset, logs are formatted in json. \
|
||||||
|
#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
|
||||||
|
#@schema/desc deprecated_log_format_desc
|
||||||
|
#@schema/nullable
|
||||||
|
deprecated_log_format: json
|
||||||
|
|
||||||
|
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
|
run_as_user: 65532
|
||||||
|
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
|
||||||
|
run_as_group: 65532
|
||||||
|
|
||||||
|
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
|
||||||
|
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
|
||||||
|
#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
|
||||||
|
#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
|
||||||
|
#@schema/desc api_group_suffix_desc
|
||||||
|
api_group_suffix: pinniped.dev
|
||||||
|
|
||||||
|
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
|
||||||
|
#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
|
||||||
|
#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
|
||||||
|
#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
|
||||||
|
#@ Optional."
|
||||||
|
#@schema/desc https_proxy_desc
|
||||||
|
#@schema/nullable
|
||||||
|
https_proxy: http://proxy.example.com
|
||||||
|
#@schema/desc "do not proxy Kubernetes endpoints"
|
||||||
|
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
|
||||||
|
|
||||||
|
#! Control the HTTP and HTTPS listeners of the Supervisor.
|
||||||
|
#!
|
||||||
|
#! The schema of this config is as follows:
|
||||||
|
#!
|
||||||
|
#! endpoints:
|
||||||
|
#! https:
|
||||||
|
#! network: tcp | unix | disabled
|
||||||
|
#! address: host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix
|
||||||
|
#! http:
|
||||||
|
#! network: same as above
|
||||||
|
#! address: same as above, except that when network=tcp then the address is only allowed to bind to loopback interfaces
|
||||||
|
#!
|
||||||
|
#! Setting network to disabled turns off that particular listener.
|
||||||
|
#! See https://pkg.go.dev/net#Listen and https://pkg.go.dev/net#Dial for a description of what can be
|
||||||
|
#! specified in the address parameter based on the given network parameter. To aid in the use of unix
|
||||||
|
#! domain sockets, a writable empty dir volume is mounted at /pinniped_socket when network is set to "unix."
|
||||||
|
#!
|
||||||
|
#! The current defaults are:
|
||||||
|
#!
|
||||||
|
#! endpoints:
|
||||||
|
#! https:
|
||||||
|
#! network: tcp
|
||||||
|
#! address: :8443
|
||||||
|
#! http:
|
||||||
|
#! network: disabled
|
||||||
|
#!
|
||||||
|
#! These defaults mean: For HTTPS listening, bind to all interfaces using TCP on port 8443.
|
||||||
|
#! Disable HTTP listening by default.
|
||||||
|
#!
|
||||||
|
#! The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept
|
||||||
|
#! traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be
|
||||||
|
#! used to accept traffic from outside the pod, since that would mean that the network traffic could be
|
||||||
|
#! transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod.
|
||||||
|
#! Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic
|
||||||
|
#! to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes.
|
||||||
|
#!
|
||||||
|
#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
|
||||||
|
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
|
||||||
|
#!
|
||||||
|
#@schema/desc "Control the HTTP and HTTPS listeners of the Supervisor."
|
||||||
|
#@schema/nullable
|
||||||
|
endpoints:
|
||||||
|
https:
|
||||||
|
network: tcp
|
||||||
|
address: 1.2.3.4:5678
|
||||||
|
|
||||||
|
#! deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints. \
|
||||||
|
#! http value which checks that only loopback interfaces are used. \
|
||||||
|
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any \
|
||||||
|
#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced \
|
||||||
|
#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time \
|
||||||
|
#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods. \
|
||||||
|
#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time \
|
||||||
|
#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available. \
|
||||||
|
#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false. \
|
||||||
|
#! Optional."
|
||||||
|
#@schema/desc https_proxy_desc
|
||||||
|
deprecated_insecure_accept_external_unencrypted_http_requests: false
|
@ -1,133 +0,0 @@
|
|||||||
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
|
||||||
|
|
||||||
#@data/values
|
|
||||||
---
|
|
||||||
|
|
||||||
app_name: pinniped-supervisor
|
|
||||||
|
|
||||||
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
|
||||||
namespace: pinniped-supervisor
|
|
||||||
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
|
|
||||||
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
|
||||||
into_namespace: #! e.g. my-preexisting-namespace
|
|
||||||
|
|
||||||
#! All resources created statically by yaml at install-time and all resources created dynamically
|
|
||||||
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
|
|
||||||
#! specified here. The value of `custom_labels` must be a map of string keys to string values.
|
|
||||||
#! The app can be uninstalled either by:
|
|
||||||
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
|
|
||||||
#! resources that were dynamically created by controllers at runtime
|
|
||||||
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
|
|
||||||
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
|
|
||||||
|
|
||||||
#! Specify how many replicas of the Pinniped server to run.
|
|
||||||
replicas: 2
|
|
||||||
|
|
||||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
|
||||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
|
||||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
|
||||||
image_tag: latest
|
|
||||||
|
|
||||||
#! Specifies a secret to be used when pulling the above `image_repo` container image.
|
|
||||||
#! Can be used when the above image_repo is a private registry.
|
|
||||||
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
|
|
||||||
#! Optional.
|
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
|
||||||
|
|
||||||
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
|
|
||||||
#! Typically, you would set a value for only one of the following service types.
|
|
||||||
#! Setting any of these values means that a Service of that type will be created. They are all optional.
|
|
||||||
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
|
|
||||||
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
|
|
||||||
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
|
|
||||||
deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
|
|
||||||
deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
|
|
||||||
deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
|
||||||
deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
|
||||||
service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
|
|
||||||
service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
|
|
||||||
service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
|
||||||
service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
|
||||||
#! The `loadBalancerIP` value of the LoadBalancer Service.
|
|
||||||
#! Ignored unless service_https_loadbalancer_port is provided.
|
|
||||||
#! Optional.
|
|
||||||
service_loadbalancer_ip: #! e.g. 1.2.3.4
|
|
||||||
|
|
||||||
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
|
||||||
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
|
||||||
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
|
||||||
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
|
|
||||||
#! By default, when this value is left unset, logs are formatted in json.
|
|
||||||
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
|
|
||||||
deprecated_log_format:
|
|
||||||
|
|
||||||
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
|
||||||
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
|
||||||
|
|
||||||
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
|
|
||||||
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
|
|
||||||
#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
|
|
||||||
#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
|
|
||||||
api_group_suffix: pinniped.dev
|
|
||||||
|
|
||||||
#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
|
|
||||||
#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
|
|
||||||
#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
|
|
||||||
#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
|
|
||||||
#! Optional.
|
|
||||||
https_proxy: #! e.g. http://proxy.example.com
|
|
||||||
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
|
||||||
|
|
||||||
#! Control the HTTP and HTTPS listeners of the Supervisor.
|
|
||||||
#!
|
|
||||||
#! The schema of this config is as follows:
|
|
||||||
#!
|
|
||||||
#! endpoints:
|
|
||||||
#! https:
|
|
||||||
#! network: tcp | unix | disabled
|
|
||||||
#! address: host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix
|
|
||||||
#! http:
|
|
||||||
#! network: same as above
|
|
||||||
#! address: same as above, except that when network=tcp then the address is only allowed to bind to loopback interfaces
|
|
||||||
#!
|
|
||||||
#! Setting network to disabled turns off that particular listener.
|
|
||||||
#! See https://pkg.go.dev/net#Listen and https://pkg.go.dev/net#Dial for a description of what can be
|
|
||||||
#! specified in the address parameter based on the given network parameter. To aid in the use of unix
|
|
||||||
#! domain sockets, a writable empty dir volume is mounted at /pinniped_socket when network is set to "unix."
|
|
||||||
#!
|
|
||||||
#! The current defaults are:
|
|
||||||
#!
|
|
||||||
#! endpoints:
|
|
||||||
#! https:
|
|
||||||
#! network: tcp
|
|
||||||
#! address: :8443
|
|
||||||
#! http:
|
|
||||||
#! network: disabled
|
|
||||||
#!
|
|
||||||
#! These defaults mean: For HTTPS listening, bind to all interfaces using TCP on port 8443.
|
|
||||||
#! Disable HTTP listening by default.
|
|
||||||
#!
|
|
||||||
#! The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept
|
|
||||||
#! traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be
|
|
||||||
#! used to accept traffic from outside the pod, since that would mean that the network traffic could be
|
|
||||||
#! transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod.
|
|
||||||
#! Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic
|
|
||||||
#! to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes.
|
|
||||||
#!
|
|
||||||
#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
|
|
||||||
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
|
|
||||||
#!
|
|
||||||
#! Optional.
|
|
||||||
endpoints:
|
|
||||||
|
|
||||||
#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
|
|
||||||
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
|
|
||||||
#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced
|
|
||||||
#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time
|
|
||||||
#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods.
|
|
||||||
#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time
|
|
||||||
#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available.
|
|
||||||
#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false.
|
|
||||||
#! Optional.
|
|
||||||
deprecated_insecure_accept_external_unencrypted_http_requests: false
|
|
@ -338,7 +338,7 @@ if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_supervisor" !=
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
log_note "Deploying the Pinniped Supervisor app to the cluster using kapp..."
|
log_note "Deploying the Pinniped Supervisor app to the cluster using kapp..."
|
||||||
pushd deploy/supervisor >/dev/null
|
pushd deploy/supervisor/config >/dev/null
|
||||||
ytt --file . \
|
ytt --file . \
|
||||||
--data-value "app_name=$supervisor_app_name" \
|
--data-value "app_name=$supervisor_app_name" \
|
||||||
--data-value "namespace=$supervisor_namespace" \
|
--data-value "namespace=$supervisor_namespace" \
|
||||||
@ -380,7 +380,7 @@ if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_concierge" !=
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
log_note "Deploying the Pinniped Concierge app to the cluster using kapp..."
|
log_note "Deploying the Pinniped Concierge app to the cluster using kapp..."
|
||||||
pushd deploy/concierge >/dev/null
|
pushd deploy/concierge/config >/dev/null
|
||||||
ytt --file . \
|
ytt --file . \
|
||||||
--data-value "app_name=$concierge_app_name" \
|
--data-value "app_name=$concierge_app_name" \
|
||||||
--data-value "namespace=$concierge_namespace" \
|
--data-value "namespace=$concierge_namespace" \
|
||||||
|
Loading…
Reference in New Issue
Block a user