simplify env vars again, create one well known /tmp/integration-test-env file again

- update kind config to include local registry
- configure kind cluster to talk to local registry
- docker build & push pinniped dev code to local registry
- deploy dev code of the following via the local registry:
  - concierge
  - supervisor
  - local-user-authenticator

deploy/concierge/values.yaml

@@ -1,75 +1,97 @@
 #! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
-#@data/values
+#@data/values-schema
 ---
-
+#@schema/desc "Name of pinniped-concierge."
 app_name: pinniped-concierge
 
-#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
 namespace: pinniped-concierge
-#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
-#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
-into_namespace: #! e.g. my-preexisting-namespace
+#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
+#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
+#@schema/desc into_namespace_desc
+#@schema/nullable
+into_namespace: my-preexisting-namespace
 
-#! All resources created statically by yaml at install-time and all resources created dynamically
-#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
-#! specified here. The value of `custom_labels` must be a map of string keys to string values.
-#! The app can be uninstalled either by:
-#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
-#!    resources that were dynamically created by controllers at runtime
-#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
-custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
+#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
+#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
+#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
+#@ The app can be uninstalled either by: \
+#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
+#@    resources that were dynamically created by controllers at runtime \
+#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
+#@schema/desc custom_labels_desc
+#@schema/type any=True
+custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
 
-#! Specify how many replicas of the Pinniped server to run.
+#@schema/desc "Specify how many replicas of the Pinniped server to run."
 replicas: 2
 
-#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
 image_repo: projects.registry.vmware.com/pinniped/pinniped-server
-image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
+#@schema/nullable
+image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
 image_tag: latest
 
-#! Optionally specify a different image for the "kube-cert-agent" pod which is scheduled
-#! on the control plane. This image needs only to include `sleep` and `cat` binaries.
-#! By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
-kube_cert_agent_image:
+#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
+#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
+#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
+#@schema/desc kube_cert_agent_image
+#@schema/nullable
+kube_cert_agent_image: projects.registry.vmware.com/pinniped/pinniped-server
 
-#! Specifies a secret to be used when pulling the above `image_repo` container image.
-#! Can be used when the above image_repo is a private registry.
-#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
-#! Optional.
-image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
+#@ Can be used when the above image_repo is a private registry. \
+#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=\"USERNAME\" --docker-password=\"PASSWORD\" --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]' \
+#@ Optional."
+#! base64 encoded: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#! result: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==
+#@schema/desc image_pull_dockerconfigjson_desc
+#@schema/nullable
+image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
 
-#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
-#! This setting allows the guess to be overridden.
-#! Optional.
-discovery_url: #! e.g., https://example.com
+#@schema/desc "Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden."
+#@schema/nullable
+discovery_url: https://example.com
 
-#! Specify the duration and renewal interval for the API serving certificate.
-#! The defaults are set to expire the cert about every 30 days, and to rotate it
-#! about every 25 days.
+
+#@ api_serving_certificate_desc = "Specify the duration and renewal interval for the API serving certificate. \
+#@ The defaults are set to expire the cert about every 30 days, and to rotate it \
+#@ about every 25 days."
+#@schema/desc api_serving_certificate_desc
 api_serving_certificate_duration_seconds: 2592000
+#@schema/desc api_serving_certificate_desc
 api_serving_certificate_renew_before_seconds: 2160000
 
-#! Specify the verbosity of logging: info ("nice to know" information), debug (developer
-#! information), trace (timing information), all (kitchen sink).
-log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
-#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
-#! By default, when this value is left unset, logs are formatted in json.
-#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
-deprecated_log_format:
+#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
+#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
+#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
+#@schema/nullable
+log_level: info
+#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
+#@ By default, when this value is left unset, logs are formatted in json. \
+#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
+#@schema/desc deprecated_log_format_desc
+#@schema/nullable
+deprecated_log_format: json
 
-run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
-run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+run_as_user: 65532
+#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+run_as_group: 65532
 
-#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
-#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
-#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
-#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
+#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
+#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
+#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
+#@schema/desc api_group_suffix_desc
 api_group_suffix: pinniped.dev
 
-#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge
-#! handles impersonation.
+
+#@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
 impersonation_proxy_spec:
   #! options are "auto", "disabled" or "enabled".
   #! If auto, the impersonation proxy will run only if the cluster signing key is not available
@@ -77,11 +99,14 @@ impersonation_proxy_spec:
   #! If disabled, the impersonation proxy will never run, which could mean that the concierge
   #! doesn't work at all.
   #! If enabled, the impersonation proxy will always run regardless of other strategies available.
+  #@schema/desc "If enabled, the impersonation proxy will always run regardless of other strategies available."
   mode: auto
-  #! The endpoint which the client should use to connect to the impersonation proxy.
-  #! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer
-  #! endpoint.
-  external_endpoint:
+  #@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \
+  #@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint."
+  #@schema/desc external_endpoint_desc
+  #@schema/nullable
+  external_endpoint: 1.2.3.4:5678
+  #@schema/desc "The impersonation proxy service configuration"
   service:
     #! Options are "LoadBalancer", "ClusterIP" and "None".
     #! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
@@ -91,17 +116,24 @@ impersonation_proxy_spec:
     #! impersonation proxy.
     #! None does not provision either and assumes that you have set the external_endpoint
     #! and set up your own ingress to connect to the impersonation proxy.
+    #@schema/desc "Options are 'LoadBalancer', 'ClusterIP' and 'None'."
+    #@schema/nullable
     type: LoadBalancer
-    #! The annotations that should be set on the ClusterIP or LoadBalancer Service.
+    #@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service."
+    #@schema/nullable
     annotations:
       {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
-    #! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
-    load_balancer_ip:
+    #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP."
+    #@schema/nullable
+    load_balancer_ip: 1.2.3.4:5678
 
-#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers.
-#! These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS,
-#! e.g. when the Concierge fetches discovery documents, JWKS keys, and POSTs to token webhooks.
-#! The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
-#! Optional.
-https_proxy: #! e.g. http://proxy.example.com
+#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
+#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
+#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
+#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
+#@ Optional."
+#@schema/desc https_proxy_desc
+#@schema/nullable
+https_proxy: http://proxy.example.com
+#@schema/desc "do not proxy Kubernetes endpoints"
 no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints

deploy/local-user-authenticator/values.yaml

@@ -1,19 +1,26 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
-#@data/values
+#@data/values-schema
 ---
 
-#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
 image_repo: projects.registry.vmware.com/pinniped/pinniped-server
-image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
+#@schema/nullable
+image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
 image_tag: latest
 
-#! Specifies a secret to be used when pulling the above `image_repo` container image.
-#! Can be used when the above image_repo is a private registry.
-#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
-#! Optional.
-image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
+#@ Can be used when the above image_repo is a private registry. \
+#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data['.dockerconfigjson']' \
+#@ Optional."
+#@schema/desc image_pull_dockerconfigjson_desc
+#@schema/nullable
+image_pull_dockerconfigjson: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
 
-run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
-run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+run_as_user: 65532
+#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+run_as_group: 65532

deploy/supervisor/values.yaml

@@ -1,39 +1,50 @@
 #! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
-#@data/values
+#@data/values-schema
 ---
-
+#@schema/desc "Name of pinniped-supervisor."
 app_name: pinniped-supervisor
 
-#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
 namespace: pinniped-supervisor
-#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
-#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
-into_namespace: #! e.g. my-preexisting-namespace
+#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
+#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
+#@schema/desc into_namespace_desc
+#@schema/nullable
+into_namespace: my-preexisting-namespace
 
-#! All resources created statically by yaml at install-time and all resources created dynamically
-#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
-#! specified here. The value of `custom_labels` must be a map of string keys to string values.
-#! The app can be uninstalled either by:
-#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
-#!    resources that were dynamically created by controllers at runtime
-#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
-custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
+#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
+#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
+#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
+#@ The app can be uninstalled either by: \
+#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
+#@    resources that were dynamically created by controllers at runtime \
+#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
+#@schema/desc custom_labels_desc
+#@schema/type any=True
+custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
 
-#! Specify how many replicas of the Pinniped server to run.
+#@schema/desc "Specify how many replicas of the Pinniped server to run."
 replicas: 2
 
-#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
 image_repo: projects.registry.vmware.com/pinniped/pinniped-server
-image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
+#@schema/nullable
+image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
 image_tag: latest
 
-#! Specifies a secret to be used when pulling the above `image_repo` container image.
-#! Can be used when the above image_repo is a private registry.
-#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
-#! Optional.
-image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#@ image_pull_dockerconfigjson_desc = "Specifies a secret to be used when pulling the above `image_repo` container image. \
+#@ Can be used when the above image_repo is a private registry. \
+#@ Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=\"USERNAME\" --docker-password=\"PASSWORD\" --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]' \
+#@ Optional."
+#! base64 encoded: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+#! result: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==
+#@schema/desc image_pull_dockerconfigjson_desc
+#@schema/nullable
+image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
 
 #! Specify how to expose the Supervisor app's HTTPS port as a Service.
 #! Typically, you would set a value for only one of the following service types.
@@ -41,43 +52,70 @@ image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"
 #! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
 #! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
 #! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
-deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
-deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
-deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
-deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
-service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
-service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
-service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
-service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
-#! The `loadBalancerIP` value of the LoadBalancer Service.
-#! Ignored unless service_https_loadbalancer_port is provided.
-#! Optional.
-service_loadbalancer_ip: #! e.g. 1.2.3.4
+#@schema/desc "will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`"
+#@schema/nullable
+deprecated_service_http_nodeport_port: 31234
+#@schema/desc "will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified"
+#@schema/nullable
+deprecated_service_http_nodeport_nodeport: 31234
+#@schema/desc "will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
+#@schema/nullable
+deprecated_service_http_loadbalancer_port: 8443
+#@schema/desc "#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
+#@schema/nullable
+deprecated_service_http_clusterip_port: 8443
+#@schema/desc "#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/nullable
+service_https_nodeport_port: 31243
+#@schema/desc "#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
+#@schema/nullable
+service_https_nodeport_nodeport: 31243
+#@schema/desc "#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/nullable
+service_https_loadbalancer_port: 8443
+#@schema/desc "#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
+#@schema/nullable
+service_https_clusterip_port: 8443
+#@ service_loadbalancer_ip_desc="The `loadBalancerIP` value of the LoadBalancer Service. \
+#@ Ignored unless service_https_loadbalancer_port is provided."
+#@schema/desc service_loadbalancer_ip_desc
+#@schema/nullable
+service_loadbalancer_ip: 1.2.3.4
 
 #! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
 #! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
-log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
-#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
-#! By default, when this value is left unset, logs are formatted in json.
-#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
-deprecated_log_format:
+#@schema/desc "default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
+#@schema/nullable
+log_level: info
+#@ deprecated_log_format_desc = "Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). \
+#@ By default, when this value is left unset, logs are formatted in json. \
+#@ This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json."
+#@schema/desc deprecated_log_format_desc
+#@schema/nullable
+deprecated_log_format: json
 
-run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
-run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+run_as_user: 65532
+#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
+run_as_group: 65532
 
-#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
-#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
-#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
-#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
+#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
+#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
+#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
+#@schema/desc api_group_suffix_desc
 api_group_suffix: pinniped.dev
 
-#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
-#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
-#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
-#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
-#! Optional.
-https_proxy: #! e.g. http://proxy.example.com
-no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
+#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
+#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
+#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
+#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
+#@ Optional."
+#@schema/desc https_proxy_desc
+#@schema/nullable
+https_proxy: http://proxy.example.com
+#@schema/desc "do not proxy Kubernetes endpoints"
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
 
 #! Control the HTTP and HTTPS listeners of the Supervisor.
 #!
@@ -118,16 +156,22 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
 #! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
 #! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
 #!
-#! Optional.
+#@schema/desc "Control the HTTP and HTTPS listeners of the Supervisor."
+#@schema/nullable
 endpoints:
+  https:
+    network: tcp
+    address: 1.2.3.4:5678
 
-#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
-#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
-#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced
-#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time
-#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods.
-#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time
-#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available.
-#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false.
-#! Optional.
+#! deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints. \
+#! http value which checks that only loopback interfaces are used. \
+#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any \
+#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced \
+#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time \
+#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods. \
+#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time \
+#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available. \
+#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false. \
+#! Optional."
+#@schema/desc https_proxy_desc
 deprecated_insecure_accept_external_unencrypted_http_requests: false

deploy_carvel/.gitignore

@@ -0,0 +1,12 @@
+# package_repository/packages/{pkg}/ contains specific SHAs of images
+# we are using 0.0.0- to indicate dev versions of images
+*0.0.0*
+
+# installation artifacts will be generated here
+deploy_carvel/deploy/
+
+# images.yml files contain specific SHAs of images
+concierge/.imgpkg/images.yml
+supervisor/.imgpkg/images.yml
+local-user-authenticator/.imgpkg/images.yml
+package_repository/.imgpkg/images.yml

deploy_carvel/concierge/.gitignore

@@ -0,0 +1 @@
+config/

deploy_carvel/concierge/README.md

@@ -0,0 +1,7 @@
+# Pinniped Concierge Deployment
+
+See [the how-to guide for details](https://pinniped.dev/docs/howto/concierge/).
+
+## In this directory:
+
+- the ./config symlink points to <root>/deploy/concierge

deploy_carvel/concierge/build.yml

@@ -0,0 +1,4 @@
+apiVersion: kbld.k14s.io/v1alpha1
+kind: Config
+minimumRequiredVersion: 0.31.0
+overrides:

deploy_carvel/concierge/metadata.yml

@@ -0,0 +1,10 @@
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: PackageMetadata
+metadata:
+  name: concierge.pinniped.dev
+spec:
+  displayName: "Pinniped Concierge"
+  longDescription: "Pinniped concierge enables consistent login across Kubernetes clusters on public cloud providers such as AKS, EKS and GKE"
+  shortDescription: "Pinniped concierge enables consistent login across public clouds"
+  categories:
+  - auth

deploy_carvel/concierge/package-template.yml

@@ -0,0 +1,29 @@
+#@ load("@ytt:data", "data")  # for reading data values (generated via ytt's data-values-schema-inspect mode).
+#@ load("@ytt:yaml", "yaml")  # for dynamically decoding the output of ytt's data-values-schema-inspect
+---
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: Package
+metadata:
+  name: #@ "concierge.pinniped.dev." + data.values.version
+spec:
+  refName: concierge.pinniped.dev
+  version: #@ data.values.version
+  releaseNotes: |
+        Initial release of the pinniped concierge package, TODO: AUTOMATE THIS??
+  valuesSchema:
+    openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
+  template:
+    spec:
+      fetch:
+      - imgpkgBundle:
+          image: #@ data.values.repo_host + ":" + data.values.version
+      template:
+      - ytt:
+          paths:
+          - "config/"
+      - kbld:
+          paths:
+          - ".imgpkg/images.yml"
+          - "-"
+      deploy:
+      - kapp: {}

deploy_carvel/concierge/schema-openapi.yaml

@@ -0,0 +1,137 @@
+openapi: 3.0.0
+info:
+  version: 0.1.0
+  title: Schema for data values, generated by ytt
+paths: {}
+components:
+  schemas:
+    dataValues:
+      type: object
+      additionalProperties: false
+      properties:
+        app_name:
+          type: string
+          description: Name of pinniped-concierge.
+          default: pinniped-concierge
+        namespace:
+          type: string
+          description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+          default: pinniped-concierge
+        into_namespace:
+          type: string
+          nullable: true
+          description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
+          default: null
+        custom_labels:
+          nullable: true
+          description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete    resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
+          default: {}
+        replicas:
+          type: integer
+          description: Specify how many replicas of the Pinniped server to run.
+          default: 2
+        image_repo:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: projects.registry.vmware.com/pinniped/pinniped-server
+        image_digest:
+          type: string
+          nullable: true
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: null
+        image_tag:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: latest
+        kube_cert_agent_image:
+          type: string
+          nullable: true
+          description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
+          default: null
+        image_pull_dockerconfigjson:
+          type: string
+          nullable: true
+          description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
+          default: null
+        discovery_url:
+          type: string
+          nullable: true
+          description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
+          default: null
+        api_serving_certificate_duration_seconds:
+          type: integer
+          description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
+          default: 2592000
+        api_serving_certificate_renew_before_seconds:
+          type: integer
+          description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
+          default: 2160000
+        log_level:
+          type: string
+          nullable: true
+          description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
+          default: null
+        deprecated_log_format:
+          type: string
+          nullable: true
+          description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
+          default: null
+        run_as_user:
+          type: integer
+          description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        run_as_group:
+          type: integer
+          description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        api_group_suffix:
+          type: string
+          description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+          default: pinniped.dev
+        impersonation_proxy_spec:
+          type: object
+          additionalProperties: false
+          description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
+          properties:
+            mode:
+              type: string
+              description: If enabled, the impersonation proxy will always run regardless of other strategies available.
+              default: auto
+            external_endpoint:
+              type: string
+              nullable: true
+              description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
+              default: null
+            service:
+              type: object
+              additionalProperties: false
+              description: The impersonation proxy service configuration
+              properties:
+                type:
+                  type: string
+                  nullable: true
+                  description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
+                  default: null
+                annotations:
+                  type: object
+                  additionalProperties: false
+                  nullable: true
+                  description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
+                  properties:
+                    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
+                      type: string
+                      default: "4000"
+                load_balancer_ip:
+                  type: string
+                  nullable: true
+                  description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
+                  default: null
+        https_proxy:
+          type: string
+          nullable: true
+          description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
+          default: null
+        no_proxy:
+          type: string
+          description: do not proxy Kubernetes endpoints
+          default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local

deploy_carvel/concierge/schema-openapi.yml

@@ -0,0 +1,155 @@
+openapi: 3.0.0
+info:
+  version: 0.1.0
+  title: Schema for data values, generated by ytt
+paths: {}
+components:
+  schemas:
+    dataValues:
+      type: object
+      additionalProperties: false
+      properties:
+        app_name:
+          type: string
+          description: Name of pinniped-concierge.
+          default: pinniped-concierge
+        namespace:
+          type: string
+          description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+          default: pinniped-concierge
+        into_namespace:
+          type: string
+          nullable: true
+          description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
+          default: null
+        custom_labels:
+          nullable: true
+          description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete    resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
+          default: null
+        replicas:
+          type: integer
+          description: Specify how many replicas of the Pinniped server to run.
+          default: 2
+        image_repo:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: projects.registry.vmware.com/pinniped/pinniped-server
+        image_digest:
+          type: string
+          nullable: true
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: null
+        image_tag:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: latest
+        kube_cert_agent_image:
+          type: string
+          nullable: true
+          description: Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled on the control plane. This image needs only to include `sleep` and `cat` binaries. By default, the same image specified for image_repo/image_digest/image_tag will be re-used.
+          default: null
+        image_pull_dockerconfigjson:
+          type: object
+          additionalProperties: false
+          nullable: true
+          description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
+          properties:
+            auths:
+              type: object
+              additionalProperties: false
+              properties:
+                https://registry.example.com:
+                  type: object
+                  additionalProperties: false
+                  properties:
+                    username:
+                      type: string
+                      default: USERNAME
+                    password:
+                      type: string
+                      default: PASSWORD
+                    auth:
+                      type: string
+                      default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
+        discovery_url:
+          type: string
+          nullable: true
+          description: Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden.
+          default: null
+        api_serving_certificate_duration_seconds:
+          type: integer
+          description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
+          default: 2592000
+        api_serving_certificate_renew_before_seconds:
+          type: integer
+          description: Specify the duration and renewal interval for the API serving certificate. The defaults are set to expire the cert about every 30 days, and to rotate it about every 25 days.
+          default: 2160000
+        log_level:
+          type: string
+          nullable: true
+          description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
+          default: null
+        deprecated_log_format:
+          type: string
+          nullable: true
+          description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
+          default: null
+        run_as_user:
+          type: integer
+          description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        run_as_group:
+          type: integer
+          description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        api_group_suffix:
+          type: string
+          description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+          default: pinniped.dev
+        impersonation_proxy_spec:
+          type: object
+          additionalProperties: false
+          description: Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation.
+          properties:
+            mode:
+              type: string
+              description: If enabled, the impersonation proxy will always run regardless of other strategies available.
+              default: auto
+            external_endpoint:
+              type: string
+              nullable: true
+              description: The endpoint which the client should use to connect to the impersonation proxy. If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint.
+              default: null
+            service:
+              type: object
+              additionalProperties: false
+              description: The impersonation proxy service configuration
+              properties:
+                type:
+                  type: string
+                  nullable: true
+                  description: Options are 'LoadBalancer', 'ClusterIP' and 'None'.
+                  default: null
+                annotations:
+                  type: object
+                  additionalProperties: false
+                  nullable: true
+                  description: The annotations that should be set on the ClusterIP or LoadBalancer Service.
+                  properties:
+                    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:
+                      type: string
+                      default: "4000"
+                load_balancer_ip:
+                  type: string
+                  nullable: true
+                  description: When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
+                  default: null
+        https_proxy:
+          type: string
+          nullable: true
+          description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
+          default: null
+        no_proxy:
+          type: string
+          description: do not proxy Kubernetes endpoints
+          default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local

deploy_carvel/concierge/vendir.lock.yml

@@ -0,0 +1,7 @@
+apiVersion: vendir.k14s.io/v1alpha1
+directories:
+- contents:
+  - directory: {}
+    path: .
+  path: config
+kind: LockConfig

deploy_carvel/concierge/vendir.yml

@@ -0,0 +1,8 @@
+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+directories:
+- path: config
+  contents:
+  - path: .
+    directory:
+      path: ../../deploy/concierge

deploy_carvel/deploy/local-user-authenticator-pkginstall.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+    # name, does not have to be versioned, versionSelection.constraints below will handle
+    name: "local-user-authenticator-package-install"
+    namespace: "local-user-authenticator-install-ns"
+spec:
+  serviceAccountName: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
+  packageRef:
+    refName: "local-user-authenticator.pinniped.dev"
+    versionSelection:
+      constraints: "0.0.0-7E26B8EF-A4D6-4020-83E8-EAF8F3D1533F"
+  values:
+  - secretRef:
+      name: "local-user-authenticator-package-install-secret"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "local-user-authenticator-package-install-secret"
+  namespace: "local-user-authenticator-install-ns"
+stringData:
+  values.yml: |
+    ---
+    image_repo: kind-registry.local:5000/test/build
+    image_tag: 0.0.0-7E26B8EF-A4D6-4020-83E8-EAF8F3D1533F

deploy_carvel/deploy/pinniped-package-rbac-concierge-concierge-rbac.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "concierge-install-ns"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous"
+  namespace: "concierge-install-ns"
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "pinniped-package-rbac-concierge-role-superadmin-dangerous"
+  namespace: "concierge-install-ns"
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "pinniped-package-rbac-concierge-role-binding-superadmin-dangerous"
+subjects:
+- kind: ServiceAccount
+  name: "pinniped-package-rbac-concierge-sa-superadmin-dangerous"
+  namespace: "concierge-install-ns"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "pinniped-package-rbac-concierge-role-superadmin-dangerous"
+

deploy_carvel/deploy/pinniped-package-rbac-local-user-authenticator-local-user-authenticator-rbac.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "local-user-authenticator-install-ns"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
+  namespace: "local-user-authenticator-install-ns"
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "pinniped-package-rbac-local-user-authenticator-role-superadmin-dangerous"
+  namespace: "local-user-authenticator-install-ns"
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "pinniped-package-rbac-local-user-authenticator-role-binding-superadmin-dangerous"
+subjects:
+- kind: ServiceAccount
+  name: "pinniped-package-rbac-local-user-authenticator-sa-superadmin-dangerous"
+  namespace: "local-user-authenticator-install-ns"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "pinniped-package-rbac-local-user-authenticator-role-superadmin-dangerous"
+

deploy_carvel/deploy/pinniped-package-rbac-supervisor-supervisor-rbac.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "supervisor-install-ns"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous"
+  namespace: "supervisor-install-ns"
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous"
+  namespace: "supervisor-install-ns"
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "pinniped-package-rbac-supervisor-role-binding-superadmin-dangerous"
+subjects:
+- kind: ServiceAccount
+  name: "pinniped-package-rbac-supervisor-sa-superadmin-dangerous"
+  namespace: "supervisor-install-ns"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "pinniped-package-rbac-supervisor-role-superadmin-dangerous"
+

deploy_carvel/local-user-authenticator/.gitignore

@@ -0,0 +1 @@
+config/

deploy_carvel/local-user-authenticator/README.md

@@ -0,0 +1,5 @@
+# local-user-authenticator
+
+## In this directory:
+
+- the ./config symlink points to <root>/deploy/local-user-authenticator

deploy_carvel/local-user-authenticator/build.yml

@@ -0,0 +1,4 @@
+apiVersion: kbld.k14s.io/v1alpha1
+kind: Config
+minimumRequiredVersion: 0.31.0
+overrides:

deploy_carvel/local-user-authenticator/metadata.yml

@@ -0,0 +1,11 @@
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: PackageMetadata
+metadata:
+  name: local-user-authenticator.pinniped.dev
+spec:
+  displayName: "local-user-authenticator"
+  longDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos. Note that this is not recommended for
+production use."
+  shortDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos."
+  categories:
+  - auth

deploy_carvel/local-user-authenticator/package-template.yml

@@ -0,0 +1,29 @@
+#@ load("@ytt:data", "data")  # for reading data values (generated via ytt's data-values-schema-inspect mode).
+#@ load("@ytt:yaml", "yaml")  # for dynamically decoding the output of ytt's data-values-schema-inspect
+---
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: Package
+metadata:
+  name: #@ "local-user-authenticator.pinniped.dev." + data.values.version
+spec:
+  refName: local-user-authenticator.pinniped.dev
+  version: #@ data.values.version
+  releaseNotes: |
+        Initial release of the local-user-authenticator package, TODO: AUTOMATE THIS??
+  valuesSchema:
+    openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
+  template:
+    spec:
+      fetch:
+      - imgpkgBundle:
+          image: #@ data.values.repo_host + ":" + data.values.version
+      template:
+      - ytt:
+          paths:
+          - "config/"
+      - kbld:
+          paths:
+          - ".imgpkg/images.yml"
+          - "-"
+      deploy:
+      - kapp: {}

deploy_carvel/local-user-authenticator/schema-openapi.yaml

@@ -0,0 +1,55 @@
+openapi: 3.0.0
+info:
+  version: 0.1.0
+  title: Schema for data values, generated by ytt
+paths: {}
+components:
+  schemas:
+    dataValues:
+      type: object
+      additionalProperties: false
+      properties:
+        image_repo:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: projects.registry.vmware.com/pinniped/pinniped-server
+        image_digest:
+          type: string
+          nullable: true
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: null
+        image_tag:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: latest
+        image_pull_dockerconfigjson:
+          type: object
+          additionalProperties: false
+          nullable: true
+          description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
+          properties:
+            auths:
+              type: object
+              additionalProperties: false
+              properties:
+                https://registry.example.com:
+                  type: object
+                  additionalProperties: false
+                  properties:
+                    username:
+                      type: string
+                      default: USERNAME
+                    password:
+                      type: string
+                      default: PASSWORD
+                    auth:
+                      type: string
+                      default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
+        run_as_user:
+          type: integer
+          description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        run_as_group:
+          type: integer
+          description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532

deploy_carvel/local-user-authenticator/schema-openapi.yml

@@ -0,0 +1,55 @@
+openapi: 3.0.0
+info:
+  version: 0.1.0
+  title: Schema for data values, generated by ytt
+paths: {}
+components:
+  schemas:
+    dataValues:
+      type: object
+      additionalProperties: false
+      properties:
+        image_repo:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: projects.registry.vmware.com/pinniped/pinniped-server
+        image_digest:
+          type: string
+          nullable: true
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: null
+        image_tag:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: latest
+        image_pull_dockerconfigjson:
+          type: object
+          additionalProperties: false
+          nullable: true
+          description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
+          properties:
+            auths:
+              type: object
+              additionalProperties: false
+              properties:
+                https://registry.example.com:
+                  type: object
+                  additionalProperties: false
+                  properties:
+                    username:
+                      type: string
+                      default: USERNAME
+                    password:
+                      type: string
+                      default: PASSWORD
+                    auth:
+                      type: string
+                      default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
+        run_as_user:
+          type: integer
+          description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        run_as_group:
+          type: integer
+          description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532

deploy_carvel/local-user-authenticator/vendir.lock.yml

@@ -0,0 +1,7 @@
+apiVersion: vendir.k14s.io/v1alpha1
+directories:
+- contents:
+  - directory: {}
+    path: .
+  path: config
+kind: LockConfig

deploy_carvel/local-user-authenticator/vendir.yml

@@ -0,0 +1,8 @@
+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+directories:
+- path: config
+  contents:
+  - path: .
+    directory:
+      path: ../../deploy/local-user-authenticator

deploy_carvel/package_repository/packages/concierge.pinniped.dev/metadata.yml

@@ -0,0 +1,10 @@
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: PackageMetadata
+metadata:
+  name: concierge.pinniped.dev
+spec:
+  displayName: "Pinniped Concierge"
+  longDescription: "Pinniped concierge enables consistent login across Kubernetes clusters on public cloud providers such as AKS, EKS and GKE"
+  shortDescription: "Pinniped concierge enables consistent login across public clouds"
+  categories:
+  - auth

deploy_carvel/package_repository/packages/local-user-authenticator.pinniped.dev/metadata.yml

@@ -0,0 +1,11 @@
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: PackageMetadata
+metadata:
+  name: local-user-authenticator.pinniped.dev
+spec:
+  displayName: "local-user-authenticator"
+  longDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos. Note that this is not recommended for
+production use."
+  shortDescription: "The local-user-authenticator app is an identity provider used for integration testing and demos."
+  categories:
+  - auth

deploy_carvel/package_repository/packages/supervisor.pinniped.dev/metadata.yml

@@ -0,0 +1,10 @@
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: PackageMetadata
+metadata:
+  name: supervisor.pinniped.dev
+spec:
+  displayName: "Pinniped Supervisor"
+  longDescription: "Pinniped supervisor allows seamless login across one or many Kubernetes clusters including AKS, EKS and GKE"
+  shortDescription: "Pinniped supervisor provides login capabilities"
+  categories:
+  - auth

deploy_carvel/supervisor/.gitignore

@@ -0,0 +1 @@
+config/

deploy_carvel/supervisor/README.md

@@ -0,0 +1,7 @@
+# Pinniped Supervisor Deployment
+
+See [the how-to guide for details](https://pinniped.dev/docs/howto/install-supervisor/).
+
+## In this directory:
+
+- the ./config symlink points to <root>/deploy/supervisor

deploy_carvel/supervisor/build.yml

@@ -0,0 +1,4 @@
+apiVersion: kbld.k14s.io/v1alpha1
+kind: Config
+minimumRequiredVersion: 0.31.0
+overrides:

deploy_carvel/supervisor/metadata.yml

@@ -0,0 +1,10 @@
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: PackageMetadata
+metadata:
+  name: supervisor.pinniped.dev
+spec:
+  displayName: "Pinniped Supervisor"
+  longDescription: "Pinniped supervisor allows seamless login across one or many Kubernetes clusters including AKS, EKS and GKE"
+  shortDescription: "Pinniped supervisor provides login capabilities"
+  categories:
+  - auth

deploy_carvel/supervisor/package-template.yml

@@ -0,0 +1,29 @@
+#@ load("@ytt:data", "data")  # for reading data values (generated via ytt's data-values-schema-inspect mode).
+#@ load("@ytt:yaml", "yaml")  # for dynamically decoding the output of ytt's data-values-schema-inspect
+---
+apiVersion: data.packaging.carvel.dev/v1alpha1
+kind: Package
+metadata:
+  name: #@ "supervisor.pinniped.dev." + data.values.version
+spec:
+  refName: supervisor.pinniped.dev
+  version: #@ data.values.version
+  releaseNotes: |
+        Initial release of the pinniped supervisor package, TODO: AUTOMATE THIS??
+  valuesSchema:
+    openAPIv3: #@ yaml.decode(data.values.openapi)["components"]["schemas"]["dataValues"]
+  template:
+    spec:
+      fetch:
+      - imgpkgBundle:
+          image: #@ data.values.repo_host + ":" + data.values.version
+      template:
+      - ytt:
+          paths:
+          - "config/"
+      - kbld:
+          paths:
+          - ".imgpkg/images.yml"
+          - "-"
+      deploy:
+      - kapp: {}

deploy_carvel/supervisor/schema-openapi.yaml

@@ -0,0 +1,146 @@
+openapi: 3.0.0
+info:
+  version: 0.1.0
+  title: Schema for data values, generated by ytt
+paths: {}
+components:
+  schemas:
+    dataValues:
+      type: object
+      additionalProperties: false
+      properties:
+        app_name:
+          type: string
+          description: Name of pinniped-supervisor.
+          default: pinniped-supervisor
+        namespace:
+          type: string
+          description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+          default: pinniped-supervisor
+        into_namespace:
+          type: string
+          nullable: true
+          description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
+          default: null
+        custom_labels:
+          nullable: true
+          description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete    resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
+          default: {}
+        replicas:
+          type: integer
+          description: Specify how many replicas of the Pinniped server to run.
+          default: 2
+        image_repo:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: projects.registry.vmware.com/pinniped/pinniped-server
+        image_digest:
+          type: string
+          nullable: true
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: null
+        image_tag:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: latest
+        image_pull_dockerconfigjson:
+          type: string
+          nullable: true
+          description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
+          default: null
+        deprecated_service_http_nodeport_port:
+          type: integer
+          nullable: true
+          description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
+          default: null
+        deprecated_service_http_nodeport_nodeport:
+          type: integer
+          nullable: true
+          description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
+          default: null
+        deprecated_service_http_loadbalancer_port:
+          type: integer
+          nullable: true
+          description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
+          default: null
+        deprecated_service_http_clusterip_port:
+          type: integer
+          nullable: true
+          description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
+          default: null
+        service_https_nodeport_port:
+          type: integer
+          nullable: true
+          description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
+          default: null
+        service_https_nodeport_nodeport:
+          type: integer
+          nullable: true
+          description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
+          default: null
+        service_https_loadbalancer_port:
+          type: integer
+          nullable: true
+          description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
+          default: null
+        service_https_clusterip_port:
+          type: integer
+          nullable: true
+          description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
+          default: null
+        service_loadbalancer_ip:
+          type: string
+          nullable: true
+          description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
+          default: null
+        log_level:
+          type: string
+          nullable: true
+          description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
+          default: null
+        deprecated_log_format:
+          type: string
+          nullable: true
+          description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
+          default: null
+        run_as_user:
+          type: integer
+          description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        run_as_group:
+          type: integer
+          description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        api_group_suffix:
+          type: string
+          description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+          default: pinniped.dev
+        https_proxy:
+          type: string
+          nullable: true
+          description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
+          default: null
+        no_proxy:
+          type: string
+          description: do not proxy Kubernetes endpoints
+          default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
+        endpoints:
+          type: object
+          additionalProperties: false
+          nullable: true
+          description: Control the HTTP and HTTPS listeners of the Supervisor.
+          properties:
+            https:
+              type: object
+              additionalProperties: false
+              properties:
+                network:
+                  type: string
+                  default: tcp
+                address:
+                  type: string
+                  default: 1.2.3.4:5678
+        deprecated_insecure_accept_external_unencrypted_http_requests:
+          type: boolean
+          description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
+          default: false

deploy_carvel/supervisor/schema-openapi.yml

@@ -0,0 +1,164 @@
+openapi: 3.0.0
+info:
+  version: 0.1.0
+  title: Schema for data values, generated by ytt
+paths: {}
+components:
+  schemas:
+    dataValues:
+      type: object
+      additionalProperties: false
+      properties:
+        app_name:
+          type: string
+          description: Name of pinniped-supervisor.
+          default: pinniped-supervisor
+        namespace:
+          type: string
+          description: Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
+          default: pinniped-supervisor
+        into_namespace:
+          type: string
+          nullable: true
+          description: If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
+          default: null
+        custom_labels:
+          nullable: true
+          description: 'All resources created statically by yaml at install-time and all resources created dynamically by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete    resources that were dynamically created by controllers at runtime 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.'
+          default: null
+        replicas:
+          type: integer
+          description: Specify how many replicas of the Pinniped server to run.
+          default: 2
+        image_repo:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: projects.registry.vmware.com/pinniped/pinniped-server
+        image_digest:
+          type: string
+          nullable: true
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: null
+        image_tag:
+          type: string
+          description: Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+          default: latest
+        image_pull_dockerconfigjson:
+          type: object
+          additionalProperties: false
+          nullable: true
+          description: 'Specifies a secret to be used when pulling the above `image_repo` container image. Can be used when the above image_repo is a private registry. Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username=''USERNAME'' --docker-password=''PASSWORD'' --dry-run=client -o json | jq -r ''.data[''.dockerconfigjson'']'' Optional.'
+          properties:
+            auths:
+              type: object
+              additionalProperties: false
+              properties:
+                https://registry.example.com:
+                  type: object
+                  additionalProperties: false
+                  properties:
+                    username:
+                      type: string
+                      default: USERNAME
+                    password:
+                      type: string
+                      default: PASSWORD
+                    auth:
+                      type: string
+                      default: BASE64_ENCODED_USERNAME_COLON_PASSWORD
+        deprecated_service_http_nodeport_port:
+          type: integer
+          nullable: true
+          description: will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`
+          default: null
+        deprecated_service_http_nodeport_nodeport:
+          type: integer
+          nullable: true
+          description: will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified
+          default: null
+        deprecated_service_http_loadbalancer_port:
+          type: integer
+          nullable: true
+          description: will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`
+          default: null
+        deprecated_service_http_clusterip_port:
+          type: integer
+          nullable: true
+          description: '#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`'
+          default: null
+        service_https_nodeport_port:
+          type: integer
+          nullable: true
+          description: '#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`'
+          default: null
+        service_https_nodeport_nodeport:
+          type: integer
+          nullable: true
+          description: '#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified'
+          default: null
+        service_https_loadbalancer_port:
+          type: integer
+          nullable: true
+          description: '#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`'
+          default: null
+        service_https_clusterip_port:
+          type: integer
+          nullable: true
+          description: '#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`'
+          default: null
+        service_loadbalancer_ip:
+          type: string
+          nullable: true
+          description: The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided.
+          default: null
+        log_level:
+          type: string
+          nullable: true
+          description: default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
+          default: null
+        deprecated_log_format:
+          type: string
+          nullable: true
+          description: 'Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs). By default, when this value is left unset, logs are formatted in json. This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.'
+          default: null
+        run_as_user:
+          type: integer
+          description: run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        run_as_group:
+          type: integer
+          description: run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
+          default: 65532
+        api_group_suffix:
+          type: string
+          description: Specify the API group suffix for all Pinniped API groups. By default, this is set to pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
+          default: pinniped.dev
+        https_proxy:
+          type: string
+          nullable: true
+          description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
+          default: null
+        no_proxy:
+          type: string
+          description: do not proxy Kubernetes endpoints
+          default: $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local
+        endpoints:
+          type: object
+          additionalProperties: false
+          nullable: true
+          description: Control the HTTP and HTTPS listeners of the Supervisor.
+          properties:
+            https:
+              type: object
+              additionalProperties: false
+              properties:
+                network:
+                  type: string
+                  default: tcp
+                address:
+                  type: string
+                  default: 1.2.3.4:5678
+        deprecated_insecure_accept_external_unencrypted_http_requests:
+          type: boolean
+          description: Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. Optional.
+          default: false

deploy_carvel/supervisor/vendir.lock.yml

@@ -0,0 +1,7 @@
+apiVersion: vendir.k14s.io/v1alpha1
+directories:
+- contents:
+  - directory: {}
+    path: .
+  path: config
+kind: LockConfig

deploy_carvel/supervisor/vendir.yml

@@ -0,0 +1,8 @@
+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+directories:
+- path: config
+  contents:
+  - path: .
+    directory:
+      path: ../../deploy/supervisor

hack/build-carvel-packages.sh

@@ -0,0 +1,417 @@
+#!/usr/bin/env bash
+
+# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# This script can be used to prepare a kind cluster and deploy the app.
+# You can call this script again to redeploy the app.
+# It will also output instructions on how to run the integration.
+#
+
+set -euo pipefail
+
+#
+# Helper functions
+#
+function log_note() {
+  GREEN='\033[0;32m'
+  NC='\033[0m'
+  if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
+    echo -e "${GREEN}$*${NC}"
+  else
+    echo "$*"
+  fi
+}
+
+function log_error() {
+  RED='\033[0;31m'
+  NC='\033[0m'
+  if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
+    echo -e "🙁${RED} Error: $* ${NC}"
+  else
+    echo ":( Error: $*"
+  fi
+}
+
+function check_dependency() {
+  if ! command -v "$1" >/dev/null; then
+    log_error "Missing dependency..."
+    log_error "$2"
+    exit 1
+  fi
+}
+
+
+pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$pinniped_path" || exit 1
+
+# arguments provided to scripts called by hack/prepare-for-integration-tests.sh
+# - app: unimportant, but always first
+# - tag: uuidgen in hack/prepare-for-integration-tests.sh
+#        if this script is run standalone, then auto-fill with a unique value
+app=${1:-"undefined"}
+tag=${2:-$(uuidgen)}
+
+# TODO: automate the version by release somehow.
+# the tag is the version in our build scripts, but we will want real versions for releases
+pinniped_package_version="${tag}" # ie, "0.25.0"
+
+# core pinniped binaries (concierge, supervisor, local-user-authenticator)
+# TODO: we can likely just pass in the whole registry_repo_tag from the parent script and be done.
+#    the duplication is unnecessary.  This script doesn't ever need to run standalone again.
+registry="kind-registry.local:5000"
+repo="test/build"
+registry_repo="$registry/$repo"
+registry_repo_tag="${registry_repo}:${tag}"
+
+api_group_suffix="pinniped.dev"
+
+# Package prefix for concierge, supervisor, local-user-authenticator
+package_prefix="test/build-package" # + $resource_name + ":" + $tag
+package_repo_prefix="${registry_repo}/${package_prefix}" # + $resource_name + ":" + $tag
+
+# Pinniped Package repository
+package_repository_repo="test/build-package-repository-pinniped"
+package_repository_repo_tag="${registry_repo}/${package_repository_repo}:${tag}"
+
+# carvel
+log_note "Installing kapp-controller on cluster..."
+KAPP_CONTROLLER_GLOBAL_NAMESPACE="kapp-controller-packaging-global"
+kapp deploy --app kapp-controller --file "https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml" -y
+kubectl get customresourcedefinitions
+
+# Generate the OpenAPI v3 Schema files, imgpkg images.yml files
+declare -a arr=("local-user-authenticator" "concierge" "supervisor")
+for resource_name in "${arr[@]}"
+do
+  resource_qualified_name="${resource_name}.${api_group_suffix}"
+  package_repo_tag="${package_repo_prefix}-${resource_name}:${tag}"
+
+  resource_dir="deploy_carvel/${resource_name}"
+  resource_config_source_dir="deploy/${resource_name}"
+  resource_destination_dir="deploy_carvel/${resource_name}"
+  resource_config_destination_dir="${resource_destination_dir}/config"
+
+  # these must be real files, not symlinks
+  log_note "Vendir sync deploy directory for ${resource_name} to package bundle..."
+  pushd "${resource_destination_dir}" > /dev/null
+    vendir sync
+  popd > /dev/null
+
+  log_note "Generating OpenAPI v3 schema for ${resource_name}..."
+  ytt \
+    --file "${resource_config_destination_dir}" \
+    --data-values-schema-inspect \
+    --output openapi-v3 > \
+    "${resource_dir}/schema-openapi.yaml"
+
+  log_note "Generating .imgpkg/images.yml for ${resource_name}..."
+  mkdir -p "${resource_dir}/.imgpkg"
+  ytt \
+    --file "${resource_config_destination_dir}" | \
+    kbld -f- --imgpkg-lock-output "${resource_dir}/.imgpkg/images.yml"
+
+
+  log_note "Pushing Pinniped ${resource_name} Package bundle..."
+  imgpkg push --bundle "${package_repo_tag}" --file "${resource_dir}"
+  # validation flag?
+  log_note "Validating ${resource_name} Package bundle not empty (/tmp/${package_repo_tag})..."
+  imgpkg pull --bundle "${package_repo_tag}" --output "/tmp/${package_repo_tag}"
+
+
+  log_note "Generating PackageRepository Package entry for ${resource_name}"
+  # publish package versions to package repository
+  package_repository_dir="deploy_carvel/package_repository/packages/${resource_qualified_name}"
+  rm -rf "${package_repository_dir}"
+  mkdir "${package_repository_dir}"
+
+  ytt \
+    --file "${resource_dir}/package-template.yml" \
+    --data-value-file openapi="${resource_dir}/schema-openapi.yml" \
+    --data-value repo_host="${package_repo_prefix}-${resource_name}" \
+    --data-value version="${pinniped_package_version}" > "${package_repository_dir}/${pinniped_package_version}.yml"
+  cp "deploy_carvel/${resource_name}/metadata.yml" "${package_repository_dir}/metadata.yml"
+done
+
+log_note "Generating .imgpkg/images.yml for  Pinniped PackageRepository bundle..."
+mkdir -p "deploy_carvel/package_repository/.imgpkg"
+kbld --file "deploy_carvel/package_repository/packages/" --imgpkg-lock-output "deploy_carvel/package_repository/.imgpkg/images.yml"
+
+log_note "Pushing Pinniped PackageRepository bundle.... "
+imgpkg push --bundle "${package_repository_repo_tag}" --file "deploy_carvel/package_repository"
+
+# validation flag?
+log_note "Validating Pinniped PackageRepository bundle not empty /tmp/${package_repo_tag}..."
+imgpkg pull --bundle "${package_repository_repo_tag}" --output "/tmp/${package_repository_repo_tag}"
+
+
+
+## NOTE: could break apart here at a build and a deploy script.
+
+log_note "cleaning deploy artifacts..."
+rm -rf "deploy_carvel/deploy"
+mkdir "deploy_carvel/deploy"
+
+log_note "deploying PackageRepository..."
+pinniped_package_repository_name="pinniped-package-repository"
+pinniped_package_repository_file="deploy_carvel/deploy/packagerepository.${pinniped_package_version}.yml"
+echo -n "" > "${pinniped_package_repository_file}"
+cat <<EOT >> "${pinniped_package_repository_file}"
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageRepository
+metadata:
+  name: "${pinniped_package_repository_name}"
+  namespace: "${KAPP_CONTROLLER_GLOBAL_NAMESPACE}"
+spec:
+  fetch:
+    imgpkgBundle:
+      image: "${package_repository_repo_tag}"
+EOT
+
+kapp deploy --app "${pinniped_package_repository_name}" --file "${pinniped_package_repository_file}" -y
+kapp inspect --app "${pinniped_package_repository_name}" --tree
+
+
+for resource_name in "${arr[@]}"
+do
+  log_note "creating PackageInstall and RBAC for ${resource_name}..."
+
+  namespace="${resource_name}-install-ns"
+  pinniped_package_rbac_prefix="pinniped-package-rbac-${resource_name}"
+  pinniped_package_rbac_file="deploy_carvel/deploy/${pinniped_package_rbac_prefix}-${resource_name}-rbac.yml"
+  echo -n "" > "${pinniped_package_rbac_file}"
+# TODO: will just a Role and RoleBinding work? Just for the target namespace.
+# - limit this to the LEAST privilege for each of the resources
+# - and document this for each of the resources.
+# - and we may need to TEMPLATE the namespace, if pinniped is installed in alt namespaces?
+cat <<EOF >> "${pinniped_package_rbac_file}"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "${namespace}"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "${pinniped_package_rbac_prefix}-sa-superadmin-dangerous"
+  namespace: "${namespace}"
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "${pinniped_package_rbac_prefix}-role-superadmin-dangerous"
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "${pinniped_package_rbac_prefix}-role-binding-superadmin-dangerous"
+subjects:
+- kind: ServiceAccount
+  name: "${pinniped_package_rbac_prefix}-sa-superadmin-dangerous"
+  namespace: "${namespace}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "${pinniped_package_rbac_prefix}-role-superadmin-dangerous"
+
+EOF
+
+  kapp deploy --app "${pinniped_package_rbac_prefix}" --file "${pinniped_package_rbac_file}" -y
+done
+
+# start local-user-authenticator
+# local-user-authenticator
+log_note "deploying local-user-authenticator PackageInstall resources..."
+resource_name="local-user-authenticator"
+NAMESPACE="${resource_name}-install-ns"
+PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
+RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
+PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
+SECRET_NAME="${resource_name}-package-install-secret"
+
+cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+    # name, does not have to be versioned, versionSelection.constraints below will handle
+    name: "${resource_name}-package-install"
+    namespace: "${NAMESPACE}"
+spec:
+  serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
+  packageRef:
+    refName: "${RESOURCE_PACKAGE_VERSION}"
+    versionSelection:
+      constraints: "${pinniped_package_version}"
+  values:
+  - secretRef:
+      name: "${SECRET_NAME}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${SECRET_NAME}"
+  namespace: "${NAMESPACE}"
+stringData:
+  values.yml: |
+    ---
+    image_repo: $registry_repo
+    image_tag: $tag
+EOF
+
+KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
+log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
+kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
+
+test_username="test-username"
+test_groups="test-group-0,test-group-1"
+test_password="$(openssl rand -hex 16)"
+log_note "Creating test user '$test_username'..."
+kubectl create secret generic "$test_username" \
+  --namespace local-user-authenticator \
+  --from-literal=groups="$test_groups" \
+  --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
+  --dry-run=client \
+  --output yaml |
+  kubectl apply -f -
+
+
+
+# start concierge
+log_note "deploying concierge PackageInstall resources..."
+resource_name="concierge"
+NAMESPACE="${resource_name}-install-ns"
+PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
+RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
+PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
+SECRET_NAME="${resource_name}-package-install-secret"
+
+# from prepare-for-integration-tests.sh
+concierge_app_name="pinniped-concierge"
+concierge_namespace="concierge"
+webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
+discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
+concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
+log_level="debug"
+cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+    # name, does not have to be versioned, versionSelection.constraints below will handle
+    name: "${resource_name}-package-install"
+    namespace: "${NAMESPACE}"
+spec:
+  serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
+  packageRef:
+    refName: "${RESOURCE_PACKAGE_VERSION}"
+    versionSelection:
+      constraints: "${pinniped_package_version}"
+  values:
+  - secretRef:
+      name: "${SECRET_NAME}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${SECRET_NAME}"
+  namespace: "${NAMESPACE}"
+stringData:
+  values.yml: |
+    ---
+    app_name: $concierge_app_name
+    namespace: $concierge_namespace
+    api_group_suffix: $api_group_suffix
+    log_level: $log_level
+    custom_labels: $concierge_custom_labels
+    image_repo: $registry_repo
+    image_tag: $tag
+    discovery_url: $discovery_url
+EOF
+
+KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
+log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
+kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
+# end concierge
+
+
+# start supervisor
+log_note "deploying supervisor PackageInstall resources..."
+resource_name="supervisor"
+NAMESPACE="${resource_name}-install-ns"
+PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
+RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
+PACKAGE_INSTALL_FILE_NAME="deploy_carvel/deploy/${resource_name}-pkginstall.yml"
+SECRET_NAME="${resource_name}-package-install-secret"
+
+# from prepare-for-integration-test.sh
+supervisor_app_name="pinniped-supervisor"
+supervisor_namespace="supervisor"
+supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
+log_level="debug"
+service_https_nodeport_port="443"
+service_https_nodeport_nodeport="31243"
+service_https_clusterip_port="443"
+cat > "${PACKAGE_INSTALL_FILE_NAME}" << EOF
+---
+apiVersion: packaging.carvel.dev/v1alpha1
+kind: PackageInstall
+metadata:
+    # name, does not have to be versioned, versionSelection.constraints below will handle
+    name: "${resource_name}-package-install"
+    namespace: "${NAMESPACE}"
+spec:
+  serviceAccountName: "${PINNIPED_PACKAGE_RBAC_PREFIX}-sa-superadmin-dangerous"
+  packageRef:
+    refName: "${RESOURCE_PACKAGE_VERSION}"
+    versionSelection:
+      constraints: "${pinniped_package_version}"
+  values:
+  - secretRef:
+      name: "${SECRET_NAME}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${SECRET_NAME}"
+  namespace: "${NAMESPACE}"
+stringData:
+  values.yml: |
+    ---
+    app_name: $supervisor_app_name
+    namespace: $supervisor_namespace
+    api_group_suffix: $api_group_suffix
+    image_repo: $registry_repo
+    image_tag: $tag
+    log_level: $log_level
+    custom_labels: $supervisor_custom_labels
+    service_https_nodeport_port: $service_https_nodeport_port
+    service_https_nodeport_nodeport: $service_https_nodeport_nodeport
+    service_https_clusterip_port: $service_https_clusterip_port
+EOF
+
+KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
+log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..."
+# TODO: does this wait not only for the PackageInstall, but the Package, and its deployments and pods, to be successful?  Because we need that.
+kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
+# end supervisor
+
+log_note "verifying PackageInstall resources..."
+kubectl get PackageInstall -A | grep pinniped
+kubectl get secret -A | grep pinniped
+
+log_note "listing all package resources (PackageRepository, Package, PackageInstall)..."
+kubectl get pkgi && kubectl get pkgr && kubectl get pkg
+
+log_note "listing all kapp cli apps..."
+kapp ls --all-namespaces
+
+log_note "listing all kapp-controller apps..."
+kubectl get app --all-namespaces

hack/integration-test-env-goland.sh

@@ -11,7 +11,8 @@ set -euo pipefail
 
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
 
-source /tmp/integration-test-env
+
+source "/tmp/integration-test-env"
 
 echo -n "PINNIPED_TEST_GOLAND_RUNNER=true;"
 

hack/kind-down.sh

@@ -8,4 +8,9 @@ set -euo pipefail
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
 cd "${ROOT}"
 
+reg_name='kind-registry.local'
+docker network disconnect "kind" "${reg_name}" || true
+docker stop "${reg_name}" || true
+docker rm "${reg_name}" || true
+
 kind delete cluster --name pinniped

hack/kind-up.sh

@@ -8,6 +8,15 @@ set -euo pipefail
 ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "${ROOT}"
 
+# create registry container unless it already exists
+reg_name='kind-registry.local'
+reg_port='5000'
+if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
+  docker run \
+    -d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
+    registry:2
+fi
+
 if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
   echo "Adding Contour port mapping to Kind config."
   ytt -f "${ROOT}/hack/lib/kind-config/single-node.yaml" \
@@ -18,3 +27,23 @@ else
   # To debug the kind config, add this option to the command below: `-v 10`
   kind create cluster --config "hack/lib/kind-config/single-node.yaml" --name pinniped
 fi
+
+
+# connect the registry to the cluster network if not already connected
+if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+  docker network connect "kind" "${reg_name}"
+fi
+
+# Document the local registry
+# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${reg_port}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF

hack/lib/kind-config/single-node.yaml

@@ -44,3 +44,11 @@ kubeadmConfigPatches:
     extraArgs:
       # See comment above.
       enable-aggregator-routing: "true"
+# TODO: in kind-up.sh these variables are created, but aren't passed in here, so we are hard-coding them
+# reg_name='kind-registry.local'
+# reg_port='5000'
+# perhaps we need to ytt --overlay it like we do the contour configuration?
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."kind-registry.local:5000"]
+    endpoint = ["http://kind-registry.local:5000"]

hack/noop.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+#
+# This script is intended to be used with:
+# - $repo_root/hack/prepare-for-integration-test.sh --alternate-deploy $(pwd)/deploy_carvel/hack/log-args.sh
+# and originated with the following:
+# - https://github.com/jvanzyl/pinniped-charts/blob/main/alternate-deploy-helm
+# along with this PR to pinniped:
+# - https://github.com/vmware-tanzu/pinniped/pull/1028
+set -euo pipefail
+
+#
+# Helper functions
+#
+function log_note() {
+  GREEN='\033[0;32m'
+  NC='\033[0m'
+  if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
+    echo -e "${GREEN}$*${NC}"
+  else
+    echo "$*"
+  fi
+}
+
+function log_error() {
+  RED='\033[0;31m'
+  NC='\033[0m'
+  if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
+    echo -e "🙁${RED} Error: $* ${NC}"
+  else
+    echo ":( Error: $*"
+  fi
+}
+
+function check_dependency() {
+  if ! command -v "$1" >/dev/null; then
+    log_error "Missing dependency..."
+    log_error "$2"
+    exit 1
+  fi
+}
+
+app=${1}
+tag=${2}
+log_note "noop.sh >>> app: ${app} tag: ${tag}"

hack/prepare-for-integration-tests.sh

@@ -55,6 +55,7 @@ alternate_deploy="undefined"
 alternate_deploy_supervisor="undefined"
 alternate_deploy_concierge="undefined"
 alternate_deploy_local_user_authenticator="undefined"
+post_install="undefined"
 
 # supported variable style:
 #  --dockerfile-path ./foo.sh
@@ -140,6 +141,15 @@ while (("$#")); do
     alternate_deploy_local_user_authenticator=$1
     shift
     ;;
+  --post-install)
+    shift
+    if [[ "$#" == "0" || "$1" == -* ]]; then
+      log_error "--post-install requires a script path to be specified"
+      exit 1
+    fi
+    post_install=$1
+    shift
+    ;;
   -*)
     log_error "Unsupported flag $1" >&2
     if [[ "$1" == *"active-directory"* ]]; then
@@ -169,6 +179,7 @@ if [[ "$help" == "yes" ]]; then
   log_note "       --alternate-deploy-supervisor:                 specify an alternate deploy script to install Pinniped Supervisor"
   log_note "       --alternate-deploy-concierge:                  specify an alternate deploy script to install Pinniped Concierge"
   log_note "       --alternate-deploy-local-user-authenticator:   specify an alternate deploy script to install Pinniped local-user-authenticator"
+  log_note "       --post-install:                                specify an post-install script"
   exit 1
 fi
 
@@ -220,10 +231,14 @@ else
   fi
 fi
 
-registry="pinniped.local"
+
+# registry="pinniped.local"
+registry="kind-registry.local:5000"
+# TODO: need to prompt the user to edit their /etc/hosts here, because otherwise
+# we can't push images to the registry!  maybe check /etc/hosts for this change else error?
 repo="test/build"
 registry_repo="$registry/$repo"
-tag=$(uuidgen) # always a new tag to force K8s to reload the image on redeploy
+tag="0.0.0-$(uuidgen)" # always a new tag to force K8s to reload the image on redeploy
 
 if [[ "$skip_build" == "yes" ]]; then
   most_recent_tag=$(docker images "$registry/$repo" --format "{{.Tag}}" | head -1)
@@ -254,14 +269,13 @@ if [[ "$do_build" == "yes" ]]; then
 fi
 
 # Load it into the cluster
-log_note "Loading the app's container image into the kind cluster..."
-kind load docker-image "$registry_repo_tag" --name pinniped
+log_note "Loading the app's container image into the local registry ($registry)..."
+docker push "$registry_repo_tag"
 
 #
 # Deploy local-user-authenticator
 #
 manifest=/tmp/pinniped-local-user-authenticator.yaml
-
 if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_local_user_authenticator" != "undefined" ] ; then
   if [ "$alternate_deploy" != "undefined" ]; then
     log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag..."
@@ -280,6 +294,7 @@ else
 
   kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
   kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
+
   popd >/dev/null
 fi
 
@@ -303,18 +318,6 @@ kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
 
 popd >/dev/null
 
-test_username="test-username"
-test_groups="test-group-0,test-group-1"
-test_password="$(openssl rand -hex 16)"
-log_note "Creating test user '$test_username'..."
-kubectl create secret generic "$test_username" \
-  --namespace local-user-authenticator \
-  --from-literal=groups="$test_groups" \
-  --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
-  --dry-run=client \
-  --output yaml |
-  kubectl apply -f -
-
 #
 # Deploy the Pinniped Supervisor
 #
@@ -364,7 +367,6 @@ manifest=/tmp/pinniped-concierge.yaml
 concierge_app_name="pinniped-concierge"
 concierge_namespace="concierge"
 webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
-webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
 discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
 concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
 log_level="debug"
@@ -396,6 +398,38 @@ else
   popd >/dev/null
 fi
 
+#
+# Call a post-install script
+# simplifies passing the $tag which may be necessary if the current local build is to be
+# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
+# running it after the above also allows appending to the environment variable file
+if [ "$post_install" != "undefined" ] ; then
+  log_note "The post-install script will be called with $tag..."
+  $post_install post-install-script $tag
+fi
+
+#
+# Test user for the authenticator
+# the authenticator may be deployed in alternative ways (ex. carvel package) but regardless we need a test user.
+#
+log_note "Creating test user for local-user-authenticator..."
+test_username="test-username"
+test_groups="test-group-0,test-group-1"
+test_password="$(openssl rand -hex 16)"
+
+kubectl create secret generic "$test_username" \
+  --namespace local-user-authenticator \
+  --from-literal=groups="$test_groups" \
+  --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
+  --dry-run=client \
+  --output yaml |
+  kubectl apply -f -
+
+#
+# Regardless of how the local-user-authenticator is installed, we need the webhook bundle in the environment file.
+#
+webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
+
 #
 # Download the test CA bundle that was generated in the Dex pod.
 # Note that this returns a base64 encoded value.
@@ -412,7 +446,9 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index
 kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
 pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
 
-cat <<EOF >/tmp/integration-test-env
+env_file_name="/tmp/integration-test-env"
+
+cat <<EOF >"$env_file_name"
 # The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
 export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
 export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
@@ -484,6 +520,7 @@ PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
 export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
 EOF
 
+
 #
 # Print instructions for next steps.
 #
@@ -491,7 +528,7 @@ log_note
 log_note "🚀 Ready to run integration tests! For example..."
 log_note "    cd $pinniped_path"
 log_note "    ulimit -n 512"
-log_note '    source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration'
+log_note "    source $env_file_name && go test -v -race -count 1 -timeout 0 ./test/integration"
 log_note
 log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
 log_note "    hack/integration-test-env-goland.sh | pbcopy"
@@ -501,3 +538,9 @@ log_note
 log_note "To delete the deployments, run:"
 log_note "  kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y &&  kapp delete -a $supervisor_app_name -y"
 log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
+log_note
+# TODO: come back and check the /etc/hosts file for the existence of
+# the correct lines, just like is done in prepare-supervisor-on-kind.sh
+log_note "Please run these commands to edit /etc/hosts, and then run this script again with the same options."
+log_note "  sudo bash -c \"echo '127.0.0.1 kind-registry.local' >> /etc/hosts\""
+log_note "When you are finished with your Kind cluster, you can remove these lines from /etc/hosts."

hack/prepare-supervisor-on-kind.sh

@@ -98,7 +98,7 @@ if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" && "$use_ad_u
 fi
 
 # Read the env vars output by hack/prepare-for-integration-tests.sh
-source /tmp/integration-test-env
+source "/tmp/integration-test-env"
 
 # Choose some filenames.
 root_ca_crt_path=root_ca.crt