mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-06 21:47:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor carvel packaing scripts

Browse Source
This commit is contained in:
Ryan Richard
2023-11-02 15:54:19 -07:00
parent e10d21d678
commit 07e9c5bd93
27 changed files with 125 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -22,8 +22,3 @@
# Hugo temp file
.hugo_build.lock
# deploy_carvel is an ephemeral directory generated when certain scripts are executed.
# this directory will be created and populated with files that can be applied to a
# kubernetes cluster (specifically kind) in order to deploy Pinniped in an alternative way.
deploy_carvel

12
deploy/concierge/values.yaml
View File

@@ -1,9 +1,9 @@
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@data/values-schema
---
#@schema/desc "Name of pinniped-concierge."
#@schema/desc "Used to help determine the names of various resources and labels."
app_name: pinniped-concierge
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
@@ -57,13 +57,14 @@ image_pull_dockerconfigjson: "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm
#@schema/nullable
discovery_url: https://example.com
#@ api_serving_certificate_desc = "Specify the duration and renewal interval for the API serving certificate. \
#@ The defaults are set to expire the cert about every 30 days, and to rotate it \
#@ about every 25 days."
#@ about every 25 days. Specify this as an integer or as a string which contains an integer value."
#@schema/desc api_serving_certificate_desc
#@schema/type any=True
api_serving_certificate_duration_seconds: 2592000
#@schema/desc api_serving_certificate_desc
#@schema/type any=True
api_serving_certificate_renew_before_seconds: 2160000
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
@@ -90,7 +91,6 @@ run_as_group: 65532
#@schema/desc api_group_suffix_desc
api_group_suffix: pinniped.dev
#@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
impersonation_proxy_spec:
#! options are "auto", "disabled" or "enabled".
@@ -117,10 +117,8 @@ impersonation_proxy_spec:
#! None does not provision either and assumes that you have set the external_endpoint
#! and set up your own ingress to connect to the impersonation proxy.
#@schema/desc "Options are 'LoadBalancer', 'ClusterIP' and 'None'."
#@schema/nullable
type: LoadBalancer
#@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service."
#@schema/nullable
annotations:
{service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
#@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP."

1
deploy/local-user-authenticator/values.yaml
View File

@@ -3,7 +3,6 @@
#@data/values-schema
---
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
#@schema/desc "Specify either an image_digest or an image_tag. If both are given, only image_digest will be used."

28
deploy/supervisor/values.yaml
View File

@@ -1,9 +1,9 @@
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@data/values-schema
---
#@schema/desc "Name of pinniped-supervisor."
#@schema/desc "Used to help determine the names of various resources and labels."
app_name: pinniped-supervisor
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
@@ -18,9 +18,9 @@ into_namespace: my-preexisting-namespace
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels \
#@ specified here. The value of `custom_labels` must be a map of string keys to string values. \
#@ The app can be uninstalled either by: \
#@ 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
#@ resources that were dynamically created by controllers at runtime \
#@ 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
#@ 1.) deleting the static install-time yaml resources including the static namespace, which will cascade and also delete \
#@ resources that were dynamically created by controllers at runtime, \
#@ or, 2.) deleting all resources by label, which does not assume that there was a static install-time yaml namespace."
#@schema/desc custom_labels_desc
#@schema/type any=True
custom_labels: {} #! {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
@@ -61,19 +61,19 @@ deprecated_service_http_nodeport_nodeport: 31234
#@schema/desc "will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
#@schema/nullable
deprecated_service_http_loadbalancer_port: 8443
#@schema/desc "#! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
#@schema/desc "will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
#@schema/nullable
deprecated_service_http_clusterip_port: 8443
#@schema/desc "#! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/desc "when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/nullable
service_https_nodeport_port: 31243
#@schema/desc "#! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
#@schema/desc "the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
#@schema/nullable
service_https_nodeport_nodeport: 31243
#@schema/desc "#! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/desc "when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/nullable
service_https_loadbalancer_port: 8443
#@schema/desc "#! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/desc "when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
#@schema/nullable
service_https_clusterip_port: 8443
#@ service_loadbalancer_ip_desc="The `loadBalancerIP` value of the LoadBalancer Service. \
@@ -94,9 +94,9 @@ log_level: info
#@schema/nullable
deprecated_log_format: json
#@schema/desc "run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
#@schema/desc "specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_user: 65532
#@schema/desc "run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
#@schema/desc "specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice"
run_as_group: 65532
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
@@ -114,8 +114,8 @@ api_group_suffix: pinniped.dev
#@schema/desc https_proxy_desc
#@schema/nullable
https_proxy: http://proxy.example.com
#@schema/desc "do not proxy Kubernetes endpoints"
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
#@schema/desc "Endpoints that should not use the proxy."
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
#! Control the HTTP and HTTPS listeners of the Supervisor.
#!

21
hack/kind-down.sh
View File

@@ -1,18 +1,29 @@
#!/usr/bin/env bash
# Copyright 2020 the Pinniped contributors. All Rights Reserved.
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
set -euo pipefail
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${ROOT}"
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
reg_name='kind-registry.local'
docker network disconnect "kind" "${reg_name}" || true
docker stop "${reg_name}" || true
docker rm "${reg_name}" || true
# If the container is running...
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" == 'true' ]; then
# Disconnect it from the kind network, if it was connected.
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" != 'null' ]; then
docker network disconnect "kind" "${reg_name}" >/dev/null
fi
echo "Stopping container $reg_name ..."
docker stop "${reg_name}" >/dev/null
# Delete it.
docker rm "${reg_name}" >/dev/null
fi
fi
kind delete cluster --name pinniped

26
hack/kind-up.sh
View File

@@ -8,45 +8,47 @@ set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${ROOT}"
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
# create registry container unless it already exists
# Create registry container unless it already exists.
reg_name='kind-registry.local'
reg_port='5000'
if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
echo "Running the registry:2 docker image..."
docker run \
-d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
--detach \
--restart=always \
--publish "127.0.0.1:${reg_port}:5000" \
--name "${reg_name}" \
registry:2
fi
fi
use_contour_registry=""
if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
echo "Adding Contour port mapping to Kind config."
use_contour_registry="--file=${ROOT}/hack/lib/kind-config/contour-overlay.yaml"
fi
use_kind_registry=""
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
echo "Adding local registry to Kind config."
use_kind_registry="--file=${ROOT}/hack/lib/kind-config/kind-registry-overlay.yaml"
fi
$(ytt ${use_kind_registry} ${use_contour_registry} --file=${ROOT}/hack/lib/kind-config/single-node.yaml >/tmp/kind-config.yaml)
# Do not quote ${use_kind_registry} ${use_contour_registry} in this command because they might be empty.
ytt ${use_kind_registry} ${use_contour_registry} --file="${ROOT}"/hack/lib/kind-config/single-node.yaml >/tmp/kind-config.yaml
# To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.28.0`.
# To debug the kind config, add this option to the command below: `-v 10`
kind create cluster --config /tmp/kind-config.yaml --name pinniped
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
# connect the registry to the cluster network if not already connected
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
# Connect the registry to the cluster network if not already connected.
if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" == 'null' ]; then
docker network connect "kind" "${reg_name}"
fi
# Document the local registry
# Configure kind to use the local registry.
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
apiVersion: v1

10
hack/lib/carvel_packages/README.md
View File

@@ -1,10 +0,0 @@
# Deployment via Carvel Packages
The Carvel Package deployment method can be exercised via the following invocation:
```bash
PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh \
--clean \
--alternate-deploy ./hack/noop.sh \
--post-install ./hack/build-carvel-packages.sh
```

50
hack/lib/carvel_packages/build.sh
View File

@@ -1,21 +1,16 @@
#!/usr/bin/env bash
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# Copyright 2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#
# This script can be used in conjunction with prepare-for-integration-tests.sh.
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
# the integration tests script will create a local docker registry and configure kind to use the registry
# and will build the Pinniped binary and container image.
# This script will then create Carvel Packages for supervisor,concierge and local-user-authenticator.
# the prepare-for-integration-tests.sh script will create a local docker registry and configure kind to use the registry.
# This script will build the Pinniped binary and container image.
# This script will then create Carvel Packages for supervisor, concierge, and local-user-authenticator.
# It will also create a Carvel PackageRepository.
# The PackageRepository will be installed on the kind cluster, then PackageInstall resources
# will be created to deploy an instance of each of the packages on the cluster.
# Once this script has completed, Pinniped can be interacted with as if it had been deployed in the usual way,
# for example by running tests or by preparing supervisor for manual interactions:
# source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration -run /TestE2EFullIntegration_Browser
# hack/prepare-supervisor-on-kind.sh --oidc
# The PackageRepository will be installed on the kind cluster.
#
# Example usage:
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
@@ -53,15 +48,17 @@ function check_dependency() {
fi
}
# this script is best invoked from the root directory
# it is designed to be passed as --pre-install flag to hack/prepare-for-integration-tests.sh
# This script is best invoked from the root directory.
# It is designed to be passed as --pre-install flag to hack/prepare-for-integration-tests.sh.
hack_lib_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${hack_lib_path}/../../" || exit 1
# arguments provided to scripts called by hack/prepare-for-integration-tests.sh
# - app: unimportant, but always first
# - tag: uuidgen in hack/prepare-for-integration-tests.sh
# if this script is run standalone, then auto-fill with a unique value
# Check for dependencies
check_dependency kbld "Please install kbld. e.g. 'brew tap vmware-tanzu/carvel && brew install kbld' for MacOS"
check_dependency imgpkg "Please install imgpkg. e.g. 'brew tap vmware-tanzu/carvel && brew install imgpkg' for MacOS"
check_dependency vendir "Please install vendir. e.g. 'brew tap vmware-tanzu/carvel && brew install vendir' for MacOS"
# Expected arguments.
app=${1:-"app-argument-not-provided"}
tag=${2:-"tag-argument-not-provided"}
registry=${3:-"registry-argument-not-provided"}
@@ -77,10 +74,8 @@ if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" == "" ]]; then
exit 1
fi
pinniped_package_version="${tag}" # ie, "0.25.0"
registry_repo="$registry/$repo"
registry_repo_tag="${registry_repo}:${tag}"
api_group_suffix="pinniped.dev"
@@ -91,15 +86,13 @@ package_repo_prefix="${registry_repo}/package" # + $resource_name + ":" + $tag
package_repository_repo="pinniped-package-repository"
package_repository_repo_tag="${registry_repo}/${package_repository_repo}:${tag}"
dest_dir="deploy_carvel"
carvel_package_src="hack/lib/carvel_packages"
template_src_dir="${carvel_package_src}/tpl"
template_src_dir="${carvel_package_src}/templates"
dest_dir="deploy_carvel_tmp"
# clean the root carvel package directory
rm -rf "${dest_dir}"
mkdir "${dest_dir}"
mkdir -p "${dest_dir}"
# Generate the OpenAPI v3 Schema files, imgpkg images.yml files
declare -a packages_to_build=("local-user-authenticator" "pinniped-concierge" "pinniped-supervisor")
@@ -110,7 +103,6 @@ do
# sources
resource_package_template_source_dir="${template_src_dir}/${resource_name}"
resource_ytt_config_file_source_dir="deploy/${resource_name}" # copy from original ytt templates
# destinations
resource_destination_dir="${dest_dir}/${resource_name}"
resource_config_destination_dir="${resource_destination_dir}/config"
@@ -143,8 +135,8 @@ do
imgpkg push --bundle "${package_repo_tag}" --file "${resource_destination_dir}"
log_note "Generating PackageRepository Package entry for ${resource_name}"
# publish package versions to package repository
packages_dir="deploy_carvel/package_repository/packages/"
# Publish package versions to package repository.
packages_dir="${dest_dir}/package_repository/packages/"
package_repository_dir="${packages_dir}/${resource_qualified_name}"
mkdir -p "${packages_dir}"
rm -rf "${package_repository_dir}"
@@ -160,11 +152,11 @@ do
done
log_note "Generating .imgpkg/images.yml for Pinniped PackageRepository bundle..."
mkdir -p "deploy_carvel/package_repository/.imgpkg"
kbld --file "deploy_carvel/package_repository/packages/" --imgpkg-lock-output "deploy_carvel/package_repository/.imgpkg/images.yml"
mkdir -p "${dest_dir}/package_repository/.imgpkg"
kbld --file "${dest_dir}/package_repository/packages/" --imgpkg-lock-output "${dest_dir}/package_repository/.imgpkg/images.yml"
log_note "Pushing Pinniped PackageRepository bundle.... "
imgpkg push --bundle "${package_repository_repo_tag}" --file "deploy_carvel/package_repository"
imgpkg push --bundle "${package_repository_repo_tag}" --file "${dest_dir}/package_repository"
# manually validate the package bundle by pulling it from the registry and examining its contents:
# imgpkg pull --bundle "${package_repository_repo_tag}" --output "/tmp/${package_repository_repo_tag}"

56
hack/lib/carvel_packages/deploy.sh
View File

@@ -1,21 +1,13 @@
#!/usr/bin/env bash
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# Copyright 2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#
# This script can be used in conjunction with prepare-for-integration-tests.sh.
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
# the integration tests script will create a local docker registry and configure kind to use the registry
# and will build the Pinniped binary and container image.
# This script will then create Carvel Packages for supervisor,concierge and local-user-authenticator.
# It will also create a Carvel PackageRepository.
# The PackageRepository will be installed on the kind cluster, then PackageInstall resources
# will be created to deploy an instance of each of the packages on the cluster.
# Once this script has completed, Pinniped can be interacted with as if it had been deployed in the usual way,
# for example by running tests or by preparing supervisor for manual interactions:
# source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration -run /TestE2EFullIntegration_Browser
# hack/prepare-supervisor-on-kind.sh --oidc
# the prepare-for-integration-tests.sh script will create a local docker registry and configure kind to use the registry.
# This script will deploy the Carvel Packages for supervisor, concierge, or local-user-authenticator.
#
# Example usage:
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
@@ -53,15 +45,12 @@ function check_dependency() {
fi
}
# this script is best invoked from the root directory
# it is designed to be passed as --pre-install flag to hack/prepare-for-integration-tests.sh
# This script is best invoked from the root directory.
# It is designed to be passed as --alternate-deploy flag to hack/prepare-for-integration-tests.sh.
hack_lib_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$hack_lib_path/../../" || exit 1
# arguments provided to scripts called by hack/prepare-for-integration-tests.sh
# - app: unimportant, but always first
# - tag: uuidgen in hack/prepare-for-integration-tests.sh
# if this script is run standalone, then auto-fill with a unique value
# Expected arguments.
app=${1:-"app-argument-not-provided"}
tag=${2:-"tag-argument-not-provided"}
registry=${3:-"registry-argument-not-provided"}
@@ -80,35 +69,28 @@ if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" == "" ]]; then
exit 1
fi
pinniped_package_version="${tag}" # ie, "0.25.0"
registry_repo="$registry/$repo"
registry_repo_tag="${registry_repo}:${tag}"
api_group_suffix="pinniped.dev"
# Package prefix for concierge, supervisor, local-user-authenticator
package_repo_prefix="${registry_repo}/package" # + $resource_name + ":" + $tag
# Pinniped Package repository
package_repository_repo="pinniped-package-repository"
package_repository_repo_tag="${registry_repo}/${package_repository_repo}:${tag}"
# Use the same directory as build.sh.
dest_dir="deploy_carvel_tmp"
# deploy kapp-controller onto kind cluster
# Deploy kapp-controller onto kind cluster.
log_note "Installing kapp-controller on cluster..."
KAPP_CONTROLLER_GLOBAL_NAMESPACE="kapp-controller-packaging-global"
kapp deploy --app kapp-controller --file "https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml" -y
# ensure this directory exists though this script will run several times
mkdir -p "deploy_carvel/install"
# Ensure this directory exists though this script will run several times.
mkdir -p "${dest_dir}/install"
log_note "Deploying Pinniped PackageRepository..."
pinniped_package_repository_name="pinniped-package-repository"
pinniped_package_repository_file="deploy_carvel/install/packagerepository.${pinniped_package_version}.yml"
echo -n "" > "${pinniped_package_repository_file}"
cat <<EOT >> "${pinniped_package_repository_file}"
pinniped_package_repository_file="${dest_dir}/install/packagerepository.${pinniped_package_version}.yml"
cat <<EOT > "${pinniped_package_repository_file}"
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageRepository
@@ -124,20 +106,18 @@ EOT
kapp deploy --app "${pinniped_package_repository_name}" --file "${pinniped_package_repository_file}" -y
kapp inspect --app "${pinniped_package_repository_name}" --tree
resource_name="${app}"
log_note "Creating RBAC for ${resource_name} PackageInstall..."
namespace="${resource_name}-install-ns"
pinniped_package_rbac_prefix="pinniped-package-rbac-${resource_name}"
pinniped_package_rbac_file="deploy_carvel/install/${pinniped_package_rbac_prefix}-${resource_name}-rbac.yml"
echo -n "" > "${pinniped_package_rbac_file}"
# NOTE: this script is for development purposes running on a local kind cluster.
pinniped_package_rbac_file="${dest_dir}/install/${pinniped_package_rbac_prefix}-${resource_name}-rbac.yml"
# NOTE: This script is for development purposes running on a local kind cluster.
# For any other use case, the generated artifacts should be properly reviewed.
# For example, the RBAC generated here should be adjusted to conform to the
# principle of LEAST privilege.
cat <<EOF >> "${pinniped_package_rbac_file}"
cat <<EOF > "${pinniped_package_rbac_file}"
---
apiVersion: v1
kind: Namespace
@@ -176,12 +156,11 @@ EOF
kapp deploy --app "${pinniped_package_rbac_prefix}" --file "${pinniped_package_rbac_file}" -y
log_note "Creating ${resource_name} PackageInstall..."
NAMESPACE="${resource_name}-install-ns"
PINNIPED_PACKAGE_RBAC_PREFIX="pinniped-package-rbac-${resource_name}"
RESOURCE_PACKAGE_VERSION="${resource_name}.pinniped.dev"
PACKAGE_INSTALL_FILE_NAME="deploy_carvel/install/${resource_name}-pkginstall.yml"
PACKAGE_INSTALL_FILE_NAME="${dest_dir}/install/${resource_name}-pkginstall.yml"
SECRET_NAME="${resource_name}-package-install-secret"
log_note "Generating ${PACKAGE_INSTALL_FILE_NAME}..."
@@ -211,7 +190,6 @@ KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall"
log_note "Deploying ${KAPP_CONTROLLER_APP_NAME}..."
kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y
log_note "Verifying PackageInstall resources..."
kubectl get PackageInstall -A | grep pinniped
kubectl get secret -A | grep pinniped

0
hack/lib/carvel_packages/tpl/local-user-authenticator/build.yml → hack/lib/carvel_packages/templates/local-user-authenticator/build.yml
View File

0
hack/lib/carvel_packages/tpl/local-user-authenticator/metadata.yml → hack/lib/carvel_packages/templates/local-user-authenticator/metadata.yml
View File

0
hack/lib/carvel_packages/tpl/local-user-authenticator/package-template.yml → hack/lib/carvel_packages/templates/local-user-authenticator/package-template.yml
View File

0
hack/lib/carvel_packages/tpl/local-user-authenticator/release_notes.txt → hack/lib/carvel_packages/templates/local-user-authenticator/release_notes.txt
View File

0
hack/lib/carvel_packages/tpl/local-user-authenticator/vendir.yml → hack/lib/carvel_packages/templates/local-user-authenticator/vendir.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-concierge/build.yml → hack/lib/carvel_packages/templates/pinniped-concierge/build.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-concierge/metadata.yml → hack/lib/carvel_packages/templates/pinniped-concierge/metadata.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-concierge/package-template.yml → hack/lib/carvel_packages/templates/pinniped-concierge/package-template.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-concierge/release_notes.txt → hack/lib/carvel_packages/templates/pinniped-concierge/release_notes.txt
View File

0
hack/lib/carvel_packages/tpl/pinniped-concierge/vendir.yml → hack/lib/carvel_packages/templates/pinniped-concierge/vendir.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-supervisor/build.yml → hack/lib/carvel_packages/templates/pinniped-supervisor/build.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-supervisor/metadata.yml → hack/lib/carvel_packages/templates/pinniped-supervisor/metadata.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-supervisor/package-template.yml → hack/lib/carvel_packages/templates/pinniped-supervisor/package-template.yml
View File

0
hack/lib/carvel_packages/tpl/pinniped-supervisor/release_notes.txt → hack/lib/carvel_packages/templates/pinniped-supervisor/release_notes.txt
View File

0
hack/lib/carvel_packages/tpl/pinniped-supervisor/vendir.yml → hack/lib/carvel_packages/templates/pinniped-supervisor/vendir.yml
View File

12
hack/lib/carvel_packages/tpl/.gitignore vendored
View File

@@ -1,12 +0,0 @@
# package_repository/packages/{pkg}/ contains specific SHAs of images
# we are using 0.0.0- to indicate dev versions of images
*0.0.0*
# installation artifacts will be generated here
deploy/
# images.yml files contain specific SHAs of images
concierge/.imgpkg/images.yml
supervisor/.imgpkg/images.yml
local-user-authenticator/.imgpkg/images.yml
package_repository/.imgpkg/images.yml

2
hack/lib/kind-config/kind-registry-overlay.yaml
View File

@@ -2,7 +2,7 @@
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.all
#@overlay/match by=overlay.subset({"kind": "Cluster"}), expects=1
---
#@overlay/match missing_ok=True
containerdConfigPatches:

111
hack/prepare-for-integration-tests.sh
View File

@@ -6,15 +6,13 @@
#
# This script can be used to prepare a kind cluster and deploy the app.
# You can call this script again to redeploy the app.
# It will also output instructions on how to run the integration.
# It will also output instructions on how to run the integration tests.
#
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value,
# the script will create a local docker registry and configure kind to use the registry. When building
# and installing Pinniped normally this is unnecessary. However, if an alternative build and install approach
# is taken, such as via a Carvel packaging mechanism, a local registry might be needed (for example, the
# kbld tool requires a registry to resolve images to shas).
#
# Example usage:
# When invoked with the PINNIPED_USE_LOCAL_KIND_REGISTRY environment variable set to a non-empty value, then
# this script will create a local registry and configure kind to use that registry. This is normally unnecessary.
# However, if an alternative build and deploy approach is used, such as via a Carvel packaging mechanism, then a local
# registry could be needed (e.g. the kbld tool requires a registry to resolve images to shas).
# For example, to alternatively build and deploy Pinniped as a Carvel package, use:
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
#
set -euo pipefail
@@ -62,10 +60,6 @@ get_active_directory_vars="" # specify a filename for a script to get AD related
alternate_deploy="undefined"
pre_install="undefined"
# supported variable style:
# --dockerfile-path ./foo.sh
# unsupported variable style (using = will fail the script):
# --dockerfile-path=./foo.sh
while (("$#")); do
case "$1" in
-h | --help)
@@ -148,13 +142,13 @@ if [[ "$help" == "yes" ]]; then
log_note " $me [flags]"
log_note
log_note "Flags:"
log_note " -h, --help: print this usage"
log_note " -c, --clean: destroy the current kind cluster and make a new one"
log_note " -g, --api-group-suffix: deploy Pinniped with an alternate API group suffix"
log_note " -s, --skip-build: reuse the most recently built image of the app instead of building"
log_note " -a, --get-active-directory-vars: specify a script that exports active directory environment variables"
log_note " --alternate-deploy: specify an alternate deploy script to install all components of Pinniped"
log_note " --pre-install: specify an pre-install script such as a build script"
log_note " -h, --help: print this usage"
log_note " -c, --clean: destroy the current kind cluster and make a new one"
log_note " -g, --api-group-suffix: deploy Pinniped with an alternate API group suffix"
log_note " -s, --skip-build: reuse the most recently built image of the app instead of building"
log_note " -a, --get-active-directory-vars: specify a script that exports active directory environment variables"
log_note " --alternate-deploy: specify an alternate deploy script to install all components of Pinniped"
log_note " --pre-install: specify an pre-install script such as a build script"
exit 1
fi
@@ -217,7 +211,6 @@ repo="test/build"
registry_repo="$registry_with_port/$repo"
tag="0.0.0-$(uuidgen)" # always a new tag to force K8s to reload the image on redeploy
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
etc_hosts_local_registry_missing=no
if ! grep -q "$registry" /etc/hosts; then
@@ -251,7 +244,7 @@ registry_repo_tag="${registry_repo}:${tag}"
if [[ "$do_build" == "yes" ]]; then
# Rebuild the code
testing_version="${KUBE_GIT_VERSION:-}"
if [[ "$dockerfile_path" != "" ]]; then
if [[ "$dockerfile_path" != "" ]]; then
log_note "Docker building the app with dockerfile $dockerfile_path and KUBE_GIT_VERSION='$testing_version'"
DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag" --file "$dockerfile_path" --build-arg "KUBE_GIT_VERSION=$testing_version"
else
@@ -262,51 +255,40 @@ if [[ "$do_build" == "yes" ]]; then
fi
if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
# if registry used, push to the registry
# If registry used, push to the registry.
log_note "Loading the app's container image into the local registry ($registry_with_port)..."
docker push "$registry_repo_tag"
else
# otherwise side-load directly
# Otherwise, side-load directly.
log_note "Loading the app's container image into the kind cluster..."
kind load docker-image "$registry_repo_tag" --name pinniped
fi
#
# Call a pre-install script
# simplifies passing the $tag which may be necessary if the current local build is to be
# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
# running it after the above also allows appending to the environment variable file
if [ "$pre_install" != "undefined" ] ; then
log_note "The pre-install script will be called with $tag..."
$pre_install pre-install-script $tag $registry_with_port $repo
if [ "$pre_install" != "undefined" ]; then
log_note "Calling the pre-install script with args: $tag $registry_with_port $repo ..."
$pre_install pre-install-script "$tag" $registry_with_port $repo
fi
#
# Deploy local-user-authenticator
#
manifest=/tmp/pinniped-local-user-authenticator.yaml
data_values_path="/tmp/local-user-authenticator"
data_values_file="${data_values_path}/values.yml"
mkdir -p "${data_values_path}"
cat <<EOF > "$data_values_file"
data_values_file=/tmp/local-user-authenticator-values.yml
cat <<EOF >"$data_values_file"
---
image_repo: $registry_repo
image_tag: $tag
EOF
if [ "$alternate_deploy" != "undefined" ]; then
$alternate_deploy local-user-authenticator $tag $registry_with_port $repo $data_values_file
log_note "The local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag $registry_with_port $repo $data_values_file ..."
$alternate_deploy local-user-authenticator "$tag" $registry_with_port $repo $data_values_file
else
log_note "Deploying the local-user-authenticator app to the cluster using kapp..."
pushd deploy/local-user-authenticator >/dev/null
ytt --file . --data-values-file "$data_values_file" >"$manifest"
ytt --file . --data-values-file "$data_values_file" >"$manifest"
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null
fi
@@ -324,16 +306,15 @@ ytt --file . \
--data-value "pinny_ldap_password=$ldap_test_password" \
--data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \
>"$manifest"
kapp deploy --yes --app tools --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null
#
# Deploy the Pinniped Supervisor
#
manifest=/tmp/pinniped-supervisor.yaml
data_values_file=/tmp/supervisor-values.yml
supervisor_app_name="pinniped-supervisor"
supervisor_namespace="supervisor"
supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
@@ -341,10 +322,7 @@ log_level="debug"
service_https_nodeport_port="443"
service_https_nodeport_nodeport="31243"
service_https_clusterip_port="443"
data_values_path="/tmp/supervisor"
data_values_file="${data_values_path}/values.yml"
mkdir -p "${data_values_path}"
cat <<EOF > "$data_values_file"
cat <<EOF >"$data_values_file"
---
app_name: $supervisor_app_name
namespace: $supervisor_namespace
@@ -359,14 +337,12 @@ service_https_clusterip_port: $service_https_clusterip_port
EOF
if [ "$alternate_deploy" != "undefined" ]; then
log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..."
$alternate_deploy pinniped-supervisor $tag $registry_with_port $repo $data_values_file
log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag $registry_with_port $repo $data_values_file ..."
$alternate_deploy pinniped-supervisor "$tag" $registry_with_port $repo $data_values_file
else
log_note "Deploying the Pinniped Supervisor app to the cluster using kapp..."
pushd deploy/supervisor >/dev/null
ytt --file . --data-values-file "$data_values_file" >"$manifest"
ytt --file . --data-values-file "$data_values_file" >"$manifest"
kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null
@@ -376,16 +352,14 @@ fi
# Deploy the Pinniped Concierge
#
manifest=/tmp/pinniped-concierge.yaml
data_values_file=/tmp/concierge-values.yml
concierge_app_name="pinniped-concierge"
concierge_namespace="concierge"
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
log_level="debug"
data_values_path="/tmp/concierge"
data_values_file="${data_values_path}/values.yml"
mkdir -p "${data_values_path}"
cat <<EOF > "$data_values_file"
cat <<EOF >"$data_values_file"
---
app_name: $concierge_app_name
namespace: $concierge_namespace
@@ -398,23 +372,19 @@ discovery_url: $discovery_url
EOF
if [ "$alternate_deploy" != "undefined" ]; then
log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag..."
$alternate_deploy pinniped-concierge $tag $registry_with_port $repo $data_values_file
log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag $registry_with_port $repo $data_values_file ..."
$alternate_deploy pinniped-concierge "$tag" $registry_with_port $repo $data_values_file
else
log_note "Deploying the Pinniped Concierge app to the cluster using kapp..."
pushd deploy/concierge >/dev/null
ytt --file . --data-values-file "$data_values_file" >"$manifest"
ytt --file . --data-values-file "$data_values_file" >"$manifest"
kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
popd >/dev/null
fi
#
# Test user for the authenticator
# the authenticator may be deployed in alternative ways (ex. carvel package) but regardless we need a test user.
# Create a test user in the local-user-authenticator and get its CA bundle.
#
log_note "Creating test user for local-user-authenticator..."
test_username="test-username"
@@ -429,9 +399,6 @@ kubectl create secret generic "$test_username" \
--output yaml |
kubectl apply -f -
#
# Regardless of how the local-user-authenticator is installed, we need the webhook bundle in the environment file.
#
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
#
@@ -450,9 +417,7 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index
kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
env_file_name="/tmp/integration-test-env"
cat <<EOF >"$env_file_name"
cat <<EOF >/tmp/integration-test-env
# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
@@ -524,7 +489,6 @@ PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
EOF
#
# Print instructions for next steps.
#
@@ -532,7 +496,7 @@ log_note
log_note "🚀 Ready to run integration tests! For example..."
log_note " cd $pinniped_path"
log_note " ulimit -n 512"
log_note " source $env_file_name && go test -v -race -count 1 -timeout 0 ./test/integration"
log_note ' source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration'
log_note
log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
log_note " hack/integration-test-env-goland.sh | pbcopy"
@@ -546,4 +510,3 @@ if [[ "${PINNIPED_USE_LOCAL_KIND_REGISTRY:-}" != "" ]]; then
else
log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
fi
log_note