From 1254f730f21be77e1f9b15181233e414063f6286 Mon Sep 17 00:00:00 2001
From: Joshua Casey <joshua.casey@broadcom.com>
Date: Fri, 16 May 2025 09:24:44 -0500
Subject: [PATCH] Revert the Concierge configmap data to inline rendering

---
 deploy/concierge/deployment.yaml  | 56 +++++++++++++++++++++++---
 deploy/concierge/helpers.lib.yaml | 66 -------------------------------
 deploy/concierge/values.yaml      | 15 +++++--
 3 files changed, 63 insertions(+), 74 deletions(-)

diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml
index 241163c5b..d24dbd02a 100644
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -2,7 +2,7 @@
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
-#@ load("@ytt:yaml", "yaml")
+#@ load("@ytt:json", "json")
 #@ load("helpers.lib.yaml",
 #@   "defaultLabel",
 #@   "labels",
@@ -10,8 +10,8 @@
 #@   "namespace",
 #@   "defaultResourceName",
 #@   "defaultResourceNameWithSuffix",
+#@   "getAndValidateLogLevel",
 #@   "pinnipedDevAPIGroupWithPrefix",
-#@   "getPinnipedConfigMapData",
 #@ )
 #@ load("@ytt:template", "template")
 
@@ -66,10 +66,56 @@ metadata:
   labels: #@ labels()
 data:
   #! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below.
-  #! aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated.
-  #! impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated.
   #@yaml/text-templated-strings
-  pinniped.yaml: #@ yaml.encode(getPinnipedConfigMapData())
+  pinniped.yaml: |
+    discovery:
+      url: (@= data.values.discovery_url or "null" @)
+    api:
+      servingCertificate:
+        durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
+        renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
+    apiGroupSuffix: (@= data.values.api_group_suffix @)
+    # aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated
+    # impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated
+    aggregatedAPIServerDisableAdmissionPlugins: []
+    names:
+      servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
+      credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
+      apiService: (@= defaultResourceNameWithSuffix("api") @)
+      impersonationLoadBalancerService: (@= defaultResourceNameWithSuffix("impersonation-proxy-load-balancer") @)
+      impersonationClusterIPService: (@= defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip") @)
+      impersonationTLSCertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate") @)
+      impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @)
+      impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @)
+      agentServiceAccount: (@= defaultResourceNameWithSuffix("kube-cert-agent") @)
+      impersonationProxyServiceAccount: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
+      impersonationProxyLegacySecret: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
+    labels: (@= json.encode(labels()).rstrip() @)
+    kubeCertAgent:
+      namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
+      priorityClassName: (@= data.values.kube_cert_agent_priority_class_name @)
+      (@ if data.values.kube_cert_agent_image: @)
+      image: (@= data.values.kube_cert_agent_image @)
+      (@ else: @)
+      (@ if data.values.image_digest: @)
+      image: (@= data.values.image_repo + "@" + data.values.image_digest @)
+      (@ else: @)
+      image: (@= data.values.image_repo + ":" + data.values.image_tag @)
+      (@ end @)
+      (@ end @)
+      (@ if data.values.image_pull_dockerconfigjson: @)
+      imagePullSecrets:
+      - image-pull-secret
+      (@ end @)
+    (@ if data.values.log_level: @)
+    log:
+      level: (@= getAndValidateLogLevel() @)
+      (@ end @)
+    tls:
+      onedottwo:
+        allowedCiphers: (@= str(data.values.allowed_ciphers_for_tls_onedottwo) @)
+    audit:
+      logUsernamesAndGroups: (@= data.values.audit.log_usernames_and_groups @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
diff --git a/deploy/concierge/helpers.lib.yaml b/deploy/concierge/helpers.lib.yaml
index b003ffa81..2ab680a52 100644
--- a/deploy/concierge/helpers.lib.yaml
+++ b/deploy/concierge/helpers.lib.yaml
@@ -45,69 +45,3 @@ _: #@ template.replace(data.values.custom_labels)
 #@   end
 #@   return log_level
 #@ end
-
-#@ def getDiscoveryURL():
-#@   if data.values.discovery_url == "" or data.values.discovery_url == "null":
-#@     return None
-#@   end
-#@   return data.values.discovery_url
-#@ end
-
-#@ def getPinnipedConfigMapData():
-#@   config = {
-#@     "discovery": {
-#@       "url": getDiscoveryURL(),
-#@     },
-#@     "api": {
-#@       "servingCertificate": {
-#@         "durationSeconds": int(data.values.api_serving_certificate_duration_seconds),
-#@         "renewBeforeSeconds": int(data.values.api_serving_certificate_renew_before_seconds),
-#@       },
-#@     },
-#@     "apiGroupSuffix": data.values.api_group_suffix,
-#@     "names": {
-#@       "servingCertificateSecret": defaultResourceNameWithSuffix("api-tls-serving-certificate"),
-#@       "credentialIssuer": defaultResourceNameWithSuffix("config"),
-#@       "apiService": defaultResourceNameWithSuffix("api"),
-#@       "impersonationLoadBalancerService": defaultResourceNameWithSuffix("impersonation-proxy-load-balancer"),
-#@       "impersonationClusterIPService": defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip"),
-#@       "impersonationTLSCertificateSecret": defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate"),
-#@       "impersonationCACertificateSecret": defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate"),
-#@       "impersonationSignerSecret": defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate"),
-#@       "agentServiceAccount": defaultResourceNameWithSuffix("kube-cert-agent"),
-#@       "impersonationProxyServiceAccount": defaultResourceNameWithSuffix("impersonation-proxy"),
-#@       "impersonationProxyLegacySecret": defaultResourceNameWithSuffix("impersonation-proxy"),
-#@     },
-#@     "labels": labels(),
-#@     "kubeCertAgent": {
-#@       "namePrefix": defaultResourceNameWithSuffix("kube-cert-agent-"),
-#@       "priorityClassName": "",
-#@     },
-#@     "tls": {
-#@       "onedottwo": {
-#@         "allowedCiphers": data.values.allowed_ciphers_for_tls_onedottwo
-#@       }
-#@     },
-#@     "audit": {
-#@       "logUsernamesAndGroups": data.values.audit.log_usernames_and_groups,
-#@     },
-#@     "aggregatedAPIServerDisableAdmissionPlugins": []
-#@   }
-#@   if data.values.kube_cert_agent_image:
-#@     config["kubeCertAgent"]["image"] = data.values.kube_cert_agent_image
-#@   else:
-#@     if data.values.image_digest:
-#@       config["kubeCertAgent"]["image"] = data.values.image_repo + "@" + data.values.image_digest
-#@     else:
-#@       config["kubeCertAgent"]["image"] = data.values.image_repo + ":" + data.values.image_tag
-#@     end
-#@   end
-#@   if data.values.image_pull_dockerconfigjson:
-#@     config["kubeCertAgent"]["imagePullSecrets"] = ["image-pull-secret"]
-#@   end
-#@   if data.values.log_level:
-#@     config["log"] = {}
-#@     config["log"]["level"] = getAndValidateLogLevel()
-#@   end
-#@   return config
-#@ end
diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml
index e18b1cc8c..0eb011024 100644
--- a/deploy/concierge/values.yaml
+++ b/deploy/concierge/values.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ def validate_strings_map(obj):
@@ -68,15 +68,24 @@ image_digest: ""
 image_tag: latest
 
 #@schema/title "Kube Cert Agent image"
-#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
+#@ kube_cert_agent_image_desc = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
 #@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
 #@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
-#@schema/desc kube_cert_agent_image
+#@schema/desc kube_cert_agent_image_desc
 #@schema/examples ("Image including tag or digest", "ghcr.io/vmware-tanzu/pinniped/pinniped-server:latest")
 #@schema/nullable
 #@schema/validation min_len=1
 kube_cert_agent_image: ""
 
+#@schema/title "Kube Cert Agent Priority Class Name"
+#@ kube_cert_agent_priority_class_name_desc = "Optionally specify a PriorityClassName for the 'kube-cert-agent' pod. \
+#@ See https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ for more details. \
+#@ By default, this is the empty string."
+#@schema/desc kube_cert_agent_priority_class_name_desc
+#@schema/examples ("name of a PriorityClass object", "high-priority")
+#@schema/validation min_len=0
+kube_cert_agent_priority_class_name: ""
+
 #@schema/title "Image pull dockerconfigjson"
 #@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
 #@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \