From 1428444c2453be490500f853ffd1118926af8880 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Wed, 14 May 2025 10:58:26 -0700
Subject: [PATCH] refactor how Concierge ConfigMap gets templated

Make it similar to how the Supervisor templates
work. This creates a more human-readable ConfigMap
on the cluster.
---
 deploy/concierge/deployment.yaml  | 64 +++++++------------------------
 deploy/concierge/helpers.lib.yaml | 61 ++++++++++++++++++++++++++++-
 deploy/supervisor/deployment.yaml |  4 +-
 3 files changed, 76 insertions(+), 53 deletions(-)

diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml
index 2c7338176..241163c5b 100644
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -2,8 +2,17 @@
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
-#@ load("@ytt:json", "json")
-#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix")
+#@ load("@ytt:yaml", "yaml")
+#@ load("helpers.lib.yaml",
+#@   "defaultLabel",
+#@   "labels",
+#@   "deploymentPodLabel",
+#@   "namespace",
+#@   "defaultResourceName",
+#@   "defaultResourceNameWithSuffix",
+#@   "pinnipedDevAPIGroupWithPrefix",
+#@   "getPinnipedConfigMapData",
+#@ )
 #@ load("@ytt:template", "template")
 
 #@ if not data.values.into_namespace:
@@ -57,55 +66,10 @@ metadata:
   labels: #@ labels()
 data:
   #! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below.
+  #! aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated.
+  #! impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated.
   #@yaml/text-templated-strings
-  pinniped.yaml: |
-    discovery:
-      url: (@= data.values.discovery_url or "null" @)
-    api:
-      servingCertificate:
-        durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
-        renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
-    apiGroupSuffix: (@= data.values.api_group_suffix @)
-    # aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated
-    # impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated
-    aggregatedAPIServerDisableAdmissionPlugins: []
-    names:
-      servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
-      credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
-      apiService: (@= defaultResourceNameWithSuffix("api") @)
-      impersonationLoadBalancerService: (@= defaultResourceNameWithSuffix("impersonation-proxy-load-balancer") @)
-      impersonationClusterIPService: (@= defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip") @)
-      impersonationTLSCertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate") @)
-      impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @)
-      impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @)
-      agentServiceAccount: (@= defaultResourceNameWithSuffix("kube-cert-agent") @)
-      impersonationProxyServiceAccount: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
-      impersonationProxyLegacySecret: (@= defaultResourceNameWithSuffix("impersonation-proxy") @)
-    labels: (@= json.encode(labels()).rstrip() @)
-    kubeCertAgent:
-      namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
-      (@ if data.values.kube_cert_agent_image: @)
-      image: (@= data.values.kube_cert_agent_image @)
-      (@ else: @)
-      (@ if data.values.image_digest: @)
-      image: (@= data.values.image_repo + "@" + data.values.image_digest @)
-      (@ else: @)
-      image: (@= data.values.image_repo + ":" + data.values.image_tag @)
-      (@ end @)
-      (@ end @)
-      (@ if data.values.image_pull_dockerconfigjson: @)
-      imagePullSecrets:
-        - image-pull-secret
-      (@ end @)
-    (@ if data.values.log_level: @)
-    log:
-      level: (@= getAndValidateLogLevel() @)
-    (@ end @)
-    tls:
-      onedottwo:
-        allowedCiphers: (@= str(data.values.allowed_ciphers_for_tls_onedottwo) @)
-    audit:
-      logUsernamesAndGroups: (@= data.values.audit.log_usernames_and_groups @)
+  pinniped.yaml: #@ yaml.encode(getPinnipedConfigMapData())
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
diff --git a/deploy/concierge/helpers.lib.yaml b/deploy/concierge/helpers.lib.yaml
index 542fe069b..8ba390983 100644
--- a/deploy/concierge/helpers.lib.yaml
+++ b/deploy/concierge/helpers.lib.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -45,3 +45,62 @@ _: #@ template.replace(data.values.custom_labels)
 #@   end
 #@   return log_level
 #@ end
+
+#@ def getPinnipedConfigMapData():
+#@   config = {
+#@     "discovery": {
+#@       "url": data.values.discovery_url or None,
+#@     },
+#@     "api": {
+#@       "servingCertificate": {
+#@         "durationSeconds": data.values.api_serving_certificate_duration_seconds,
+#@         "renewBeforeSeconds": data.values.api_serving_certificate_renew_before_seconds,
+#@       },
+#@     },
+#@     "apiGroupSuffix": data.values.api_group_suffix,
+#@     "names": {
+#@       "servingCertificateSecret": defaultResourceNameWithSuffix("api-tls-serving-certificate"),
+#@       "credentialIssuer": defaultResourceNameWithSuffix("config"),
+#@       "apiService": defaultResourceNameWithSuffix("api"),
+#@       "impersonationLoadBalancerService": defaultResourceNameWithSuffix("impersonation-proxy-load-balancer"),
+#@       "impersonationClusterIPService": defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip"),
+#@       "impersonationTLSCertificateSecret": defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate"),
+#@       "impersonationCACertificateSecret": defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate"),
+#@       "impersonationSignerSecret": defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate"),
+#@       "agentServiceAccount": defaultResourceNameWithSuffix("kube-cert-agent"),
+#@       "impersonationProxyServiceAccount": defaultResourceNameWithSuffix("impersonation-proxy"),
+#@       "impersonationProxyLegacySecret": defaultResourceNameWithSuffix("impersonation-proxy"),
+#@     },
+#@     "labels": labels(),
+#@     "kubeCertAgent": {
+#@       "namePrefix": defaultResourceNameWithSuffix("kube-cert-agent-"),
+#@       "priorityClassName": "",
+#@     },
+#@     "tls": {
+#@       "onedottwo": {
+#@         "allowedCiphers": data.values.allowed_ciphers_for_tls_onedottwo
+#@       }
+#@     },
+#@     "audit": {
+#@       "logUsernamesAndGroups": data.values.audit.log_usernames_and_groups,
+#@     },
+#@     "aggregatedAPIServerDisableAdmissionPlugins": []
+#@   }
+#@   if data.values.kube_cert_agent_image:
+#@     config["kubeCertAgent"]["image"] = data.values.kube_cert_agent_image
+#@   else:
+#@     if data.values.image_digest:
+#@       config["kubeCertAgent"]["image"] = data.values.image_repo + "@" + data.values.image_digest
+#@     else:
+#@       config["kubeCertAgent"]["image"] = data.values.image_repo + ":" + data.values.image_tag
+#@     end
+#@   end
+#@   if data.values.image_pull_dockerconfigjson:
+#@     config["kubeCertAgent"]["imagePullSecrets"] = ["image-pull-secret"]
+#@   end
+#@   if data.values.log_level:
+#@     config["log"] = {}
+#@     config["log"]["level"] = getAndValidateLogLevel()
+#@   end
+#@   return config
+#@ end
diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml
index 909e424bf..eac3f393d 100644
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -13,7 +13,7 @@
 #@   "pinnipedDevAPIGroupWithPrefix",
 #@   "getPinnipedConfigMapData",
 #@   "hasUnixNetworkEndpoint",
-#@  )
+#@ )
 #@ load("@ytt:template", "template")
 
 #@ if not data.values.into_namespace: