mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-03 11:45:45 +00:00
Revert the Concierge configmap data to inline rendering
This commit is contained in:
Joshua Casey
@@ -2,7 +2,7 @@
|
||||
#! SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
#@ load("@ytt:data", "data")
|
||||
#@ load("@ytt:yaml", "yaml")
|
||||
#@ load("@ytt:json", "json")
|
||||
#@ load("helpers.lib.yaml",
|
||||
#@ "defaultLabel",
|
||||
#@ "labels",
|
||||
@@ -10,8 +10,8 @@
|
||||
#@ "namespace",
|
||||
#@ "defaultResourceName",
|
||||
#@ "defaultResourceNameWithSuffix",
|
||||
#@ "getAndValidateLogLevel",
|
||||
#@ "pinnipedDevAPIGroupWithPrefix",
|
||||
#@ "getPinnipedConfigMapData",
|
||||
#@ )
|
||||
#@ load("@ytt:template", "template")
|
||||
|
||||
@@ -66,10 +66,56 @@ metadata:
|
||||
labels: #@ labels()
|
||||
data:
|
||||
#! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below.
|
||||
#! aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated.
|
||||
#! impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated.
|
||||
#@yaml/text-templated-strings
|
||||
pinniped.yaml: #@ yaml.encode(getPinnipedConfigMapData())
|
||||
pinniped.yaml: |
|
||||
discovery:
|
||||
url: (@= data.values.discovery_url or "null" @)
|
||||
api:
|
||||
servingCertificate:
|
||||
durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
|
||||
renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
|
||||
apiGroupSuffix: (@= data.values.api_group_suffix @)
|
||||
# aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated
|
||||
# impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated
|
||||
aggregatedAPIServerDisableAdmissionPlugins: []
|
||||
names:
|
||||
servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
|
||||
credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
|
||||
apiService: (@= defaultResourceNameWithSuffix("api") @)
|
||||
impersonationLoadBalancerService: (@= defaultResourceNameWithSuffix("impersonation-proxy-load-balancer") @)
|
||||
impersonationClusterIPService: (@= defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip") @)
|
||||
impersonationTLSCertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate") @)
|
||||
impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @)
|
||||
impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @)
|
||||
agentServiceAccount: (@= defaultResourceNameWithSuffix("kube-cert-agent") @)
|
||||
impersonationProxyServiceAccount: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
|
||||
impersonationProxyLegacySecret: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
|
||||
labels: (@= json.encode(labels()).rstrip() @)
|
||||
kubeCertAgent:
|
||||
namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
|
||||
priorityClassName: (@= data.values.kube_cert_agent_priority_class_name @)
|
||||
(@ if data.values.kube_cert_agent_image: @)
|
||||
image: (@= data.values.kube_cert_agent_image @)
|
||||
(@ else: @)
|
||||
(@ if data.values.image_digest: @)
|
||||
image: (@= data.values.image_repo + "@" + data.values.image_digest @)
|
||||
(@ else: @)
|
||||
image: (@= data.values.image_repo + ":" + data.values.image_tag @)
|
||||
(@ end @)
|
||||
(@ end @)
|
||||
(@ if data.values.image_pull_dockerconfigjson: @)
|
||||
imagePullSecrets:
|
||||
- image-pull-secret
|
||||
(@ end @)
|
||||
(@ if data.values.log_level: @)
|
||||
log:
|
||||
level: (@= getAndValidateLogLevel() @)
|
||||
(@ end @)
|
||||
tls:
|
||||
onedottwo:
|
||||
allowedCiphers: (@= str(data.values.allowed_ciphers_for_tls_onedottwo) @)
|
||||
audit:
|
||||
logUsernamesAndGroups: (@= data.values.audit.log_usernames_and_groups @)
|
||||
---
|
||||
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
|
||||
apiVersion: v1
|
||||
|
||||
@@ -45,69 +45,3 @@ _: #@ template.replace(data.values.custom_labels)
|
||||
#@ end
|
||||
#@ return log_level
|
||||
#@ end
|
||||
|
||||
#@ def getDiscoveryURL():
|
||||
#@ if data.values.discovery_url == "" or data.values.discovery_url == "null":
|
||||
#@ return None
|
||||
#@ end
|
||||
#@ return data.values.discovery_url
|
||||
#@ end
|
||||
|
||||
#@ def getPinnipedConfigMapData():
|
||||
#@ config = {
|
||||
#@ "discovery": {
|
||||
#@ "url": getDiscoveryURL(),
|
||||
#@ },
|
||||
#@ "api": {
|
||||
#@ "servingCertificate": {
|
||||
#@ "durationSeconds": int(data.values.api_serving_certificate_duration_seconds),
|
||||
#@ "renewBeforeSeconds": int(data.values.api_serving_certificate_renew_before_seconds),
|
||||
#@ },
|
||||
#@ },
|
||||
#@ "apiGroupSuffix": data.values.api_group_suffix,
|
||||
#@ "names": {
|
||||
#@ "servingCertificateSecret": defaultResourceNameWithSuffix("api-tls-serving-certificate"),
|
||||
#@ "credentialIssuer": defaultResourceNameWithSuffix("config"),
|
||||
#@ "apiService": defaultResourceNameWithSuffix("api"),
|
||||
#@ "impersonationLoadBalancerService": defaultResourceNameWithSuffix("impersonation-proxy-load-balancer"),
|
||||
#@ "impersonationClusterIPService": defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip"),
|
||||
#@ "impersonationTLSCertificateSecret": defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate"),
|
||||
#@ "impersonationCACertificateSecret": defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate"),
|
||||
#@ "impersonationSignerSecret": defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate"),
|
||||
#@ "agentServiceAccount": defaultResourceNameWithSuffix("kube-cert-agent"),
|
||||
#@ "impersonationProxyServiceAccount": defaultResourceNameWithSuffix("impersonation-proxy"),
|
||||
#@ "impersonationProxyLegacySecret": defaultResourceNameWithSuffix("impersonation-proxy"),
|
||||
#@ },
|
||||
#@ "labels": labels(),
|
||||
#@ "kubeCertAgent": {
|
||||
#@ "namePrefix": defaultResourceNameWithSuffix("kube-cert-agent-"),
|
||||
#@ "priorityClassName": "",
|
||||
#@ },
|
||||
#@ "tls": {
|
||||
#@ "onedottwo": {
|
||||
#@ "allowedCiphers": data.values.allowed_ciphers_for_tls_onedottwo
|
||||
#@ }
|
||||
#@ },
|
||||
#@ "audit": {
|
||||
#@ "logUsernamesAndGroups": data.values.audit.log_usernames_and_groups,
|
||||
#@ },
|
||||
#@ "aggregatedAPIServerDisableAdmissionPlugins": []
|
||||
#@ }
|
||||
#@ if data.values.kube_cert_agent_image:
|
||||
#@ config["kubeCertAgent"]["image"] = data.values.kube_cert_agent_image
|
||||
#@ else:
|
||||
#@ if data.values.image_digest:
|
||||
#@ config["kubeCertAgent"]["image"] = data.values.image_repo + "@" + data.values.image_digest
|
||||
#@ else:
|
||||
#@ config["kubeCertAgent"]["image"] = data.values.image_repo + ":" + data.values.image_tag
|
||||
#@ end
|
||||
#@ end
|
||||
#@ if data.values.image_pull_dockerconfigjson:
|
||||
#@ config["kubeCertAgent"]["imagePullSecrets"] = ["image-pull-secret"]
|
||||
#@ end
|
||||
#@ if data.values.log_level:
|
||||
#@ config["log"] = {}
|
||||
#@ config["log"]["level"] = getAndValidateLogLevel()
|
||||
#@ end
|
||||
#@ return config
|
||||
#@ end
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
|
||||
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
|
||||
#! SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
#@ def validate_strings_map(obj):
|
||||
@@ -68,15 +68,24 @@ image_digest: ""
|
||||
image_tag: latest
|
||||
|
||||
#@schema/title "Kube Cert Agent image"
|
||||
#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
|
||||
#@ kube_cert_agent_image_desc = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
|
||||
#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
|
||||
#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
|
||||
#@schema/desc kube_cert_agent_image
|
||||
#@schema/desc kube_cert_agent_image_desc
|
||||
#@schema/examples ("Image including tag or digest", "ghcr.io/vmware-tanzu/pinniped/pinniped-server:latest")
|
||||
#@schema/nullable
|
||||
#@schema/validation min_len=1
|
||||
kube_cert_agent_image: ""
|
||||
|
||||
#@schema/title "Kube Cert Agent Priority Class Name"
|
||||
#@ kube_cert_agent_priority_class_name_desc = "Optionally specify a PriorityClassName for the 'kube-cert-agent' pod. \
|
||||
#@ See https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ for more details. \
|
||||
#@ By default, this is the empty string."
|
||||
#@schema/desc kube_cert_agent_priority_class_name_desc
|
||||
#@schema/examples ("name of a PriorityClass object", "high-priority")
|
||||
#@schema/validation min_len=0
|
||||
kube_cert_agent_priority_class_name: ""
|
||||
|
||||
#@schema/title "Image pull dockerconfigjson"
|
||||
#@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
|
||||
#@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
|
||||
|
||||
Reference in New Issue
Block a user