Skip to content

Commit a8031e4

Browse files
authored
Improve registry and Git config (#1)
* Improve registry and Git config
1 parent 3e976a5 commit a8031e4

File tree

17 files changed

+201
-60
lines changed

17 files changed

+201
-60
lines changed

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,6 @@ jobs:
1818
registry-server: ghcr.io
1919
registry-username: ${{ github.actor }}
2020
image: ${{ github.repository }}
21-
version: 0.1.1
21+
version: 0.2.0
2222
secrets:
2323
pull-request-token: ${{ secrets.GH_ORG_PAT }}

.github/workflows/test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
name: Integration Tests
1515
strategy:
1616
matrix:
17-
k8s_version: [v1.24, v1.25, v1.26]
17+
k8s_version: [v1.25, v1.26, v1.27]
1818
permissions:
1919
contents: read
2020
uses: kadras-io/github-reusable-workflows/.github/workflows/carvel-package-test-integration.yml@main

Makefile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
K8S_VERSION=v1.26
1+
K8S_VERSION=v1.27
22

33
# Build package configuration
44
build: package
@@ -26,6 +26,10 @@ ytt:
2626
schema:
2727
ytt -f package/config/values-schema.yml --data-values-schema-inspect -o openapi-v3 > schema-openapi.yml
2828

29+
# Use kbld to resolve the OCI images referenced within the manifests
30+
kbld:
31+
rm -f package/.imgpkg/images.yml && mkdir -p package/.imgpkg && kbld --file package/config --imgpkg-lock-output package/.imgpkg/images.yml 1>> /dev/null
32+
2933
# Check the ytt-annotated Kubernetes configuration and its validation
3034
test-config:
3135
ytt -f package/config --data-values-file test/unit/config/values.yml | kubeconform -ignore-missing-schemas -summary

README.md

Lines changed: 12 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,18 @@
11
# Workspace Provisioner
22

3-
A Carvel package for provisioning and configuring workspaces (namespaces or virtual clusters) with the necessary credentials, roles and limit ranges to work with the Kadras [Engineering Platform](https://github.com/kadras-io/engineering-platform).
4-
53
![Test Workflow](https://github.com/kadras-io/workspace-provisioner/actions/workflows/test.yml/badge.svg)
64
![Release Workflow](https://github.com/kadras-io/workspace-provisioner/actions/workflows/release.yml/badge.svg)
7-
[![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v0.1/levels)
5+
[![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v1.0/levels)
86
[![The Apache 2.0 license badge](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
97
[![Follow us on Twitter](https://img.shields.io/static/v1?label=Twitter&message=Follow&color=1DA1F2)](https://twitter.com/kadrasIO)
108

9+
A Carvel package for provisioning and configuring workspaces (namespaces or virtual clusters) with the necessary credentials, roles and limit ranges to work with the Kadras [Engineering Platform](https://github.com/kadras-io/engineering-platform).
10+
1111
## 🚀  Getting Started
1212

1313
### Prerequisites
1414

15-
* Kubernetes 1.24+
15+
* Kubernetes 1.25+
1616
* Carvel [`kctrl`](https://carvel.dev/kapp-controller/docs/latest/install/#installing-kapp-controller-cli-kctrl) CLI.
1717
* Carvel [kapp-controller](https://carvel.dev/kapp-controller) deployed in your Kubernetes cluster. You can install it with Carvel [`kapp`](https://carvel.dev/kapp/docs/latest/install) (recommended choice) or `kubectl`.
1818

@@ -30,10 +30,9 @@ Workspace Provisioner is used as part of the Kadras [Engineering Platform](https
3030
Add the Kadras [package repository](https://github.com/kadras-io/kadras-packages) to your Kubernetes cluster:
3131

3232
```shell
33-
kubectl create namespace kadras-packages
3433
kctrl package repository add -r kadras-packages \
3534
--url ghcr.io/kadras-io/kadras-packages \
36-
-n kadras-packages
35+
-n kadras-packages --create-namespace
3736
```
3837

3938
<details><summary>Installation without package repository</summary>
@@ -86,6 +85,7 @@ The Workspace Provisioner package can be customized via a `values.yml` file.
8685
oci_registry:
8786
secret:
8887
name: supply-chain-registry-credentials
88+
namespace: kadras-packages
8989
```
9090
9191
Reference the `values.yml` file from the `kctrl` command when installing or upgrading the package.
@@ -108,14 +108,13 @@ The Workspace Provisioner package has the following configurable properties.
108108
|-------|-------------------|-------------|
109109
| `namespaces` | `[]` | Configuration for the namespaces the platform will provision and manage. |
110110
| `service_account` | `default` | The `ServiceAccount` to be configured with credentials and roles in each workspace. |
111-
| `oci_registry.secret.name` | `""` | The name of the Secret holding the credentials to access the OCI registry. **Required**. |
112-
| `oci_registry.secret.namespace` | `""` | The namespace of the Secret holding the credentials to access the OCI registry. **Required**. |
111+
| `oci_registry.secret.name` | `""` | The name of the Secret holding the credentials to access the OCI registry. |
112+
| `oci_registry.secret.namespace` | `""` | The namespace of the Secret holding the credentials to access the OCI registry. |
113113
| `cosign.secret.name` | `""` | The name of the Secret holding the Cosign key pair. |
114114
| `cosign.secret.namespace` | `""` | The namespace of the Secret holding the Cosign key pair. |
115-
| `git.server` | `https://github.com` | The Git server hosting the Git repositories used in the GitOps workflows. |
116-
| `git.credentials.username` | `""` | The username to access the Git repositories. |
117-
| `git.credesntials.password` | `""` | The password to access the Git repositories. |
118-
| `git.secret.name` | `supply-chain-git-credentials` | The name of the Secret holding the Git credentials. |
115+
| `git.server` | `https://github.com` | The Git server hosting the Git repositories used by the platform. |
116+
| `git.secret.name` | `""` | The name of the Secret holding the Git credentials. |
117+
| `git.secret.namespace` | `""` | The namespace of the Secret holding the Git credentials. |
119118

120119
</details>
121120

@@ -129,6 +128,4 @@ This project is licensed under the **Apache License 2.0**. See [LICENSE](LICENSE
129128

130129
## 🙏&nbsp; Acknowledgments
131130

132-
This package is inspired by:
133-
134-
* the [namespace setup](https://github.com/vrabbi/tap-oss/tree/main/packages/dev-ns-preperation) included in an example of Tanzu Application Platform OSS stack.
131+
This package is inspired by the [namespace setup](https://github.com/vrabbi/tap-oss/tree/main/packages/dev-ns-preperation) package developed by [Scott Rosenberg](https://vrabbi.cloud).

package/config/setup-namespaces.yml

Lines changed: 57 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,22 @@
11
#@ load("@ytt:data","data")
22

3+
#@ image_pull_secret_name = "canonical-registry-credentials"
4+
5+
#@ def is_oci_registry_secret_available():
6+
#@ return data.values.oci_registry.secret.name != "" and data.values.oci_registry.secret.namespace != ""
7+
#@ end
8+
39
#@ def is_cosign_secret_available():
410
#@ return data.values.cosign.secret.name != "" and data.values.cosign.secret.namespace != ""
511
#@ end
612

7-
#@ def is_git_config_available():
8-
#@ return data.values.git.server != "" and data.values.git.credentials.username != "" and data.values.git.credentials.password != ""
13+
#@ def is_git_secret_available():
14+
#@ return data.values.git.server != "" and data.values.git.secret.name != "" and data.values.git.secret.namespace != ""
915
#@ end
1016

1117
#! SECRET EXPORTS
1218

19+
#@ if/end is_oci_registry_secret_available():
1320
---
1421
apiVersion: secretgen.carvel.dev/v1alpha1
1522
kind: SecretExport
@@ -18,7 +25,9 @@ metadata:
1825
namespace: #@ data.values.oci_registry.secret.namespace
1926
spec:
2027
toNamespaces:
21-
- "*"
28+
#@ for namespace in data.values.namespaces:
29+
- #@ namespace.name
30+
#@ end
2231

2332
#@ if/end is_cosign_secret_available():
2433
---
@@ -29,7 +38,22 @@ metadata:
2938
namespace: #@ data.values.cosign.secret.namespace
3039
spec:
3140
toNamespaces:
32-
- "*"
41+
#@ for namespace in data.values.namespaces:
42+
- #@ namespace.name
43+
#@ end
44+
45+
#@ if/end is_git_secret_available():
46+
---
47+
apiVersion: secretgen.carvel.dev/v1alpha1
48+
kind: SecretExport
49+
metadata:
50+
name: #@ data.values.git.secret.name
51+
namespace: #@ data.values.git.secret.namespace
52+
spec:
53+
toNamespaces:
54+
#@ for namespace in data.values.namespaces:
55+
- #@ namespace.name
56+
#@ end
3357

3458
#! NAMESPACES
3559

@@ -43,13 +67,13 @@ metadata:
4367
annotations:
4468
kapp.k14s.io/create-strategy: fallback-on-update
4569

46-
#! OCI Registry
70+
#! Image Pull Placeholder Secret (populated by secretgen-controller)
4771

4872
---
4973
apiVersion: v1
5074
kind: Secret
5175
metadata:
52-
name: #@ data.values.oci_registry.secret.name
76+
name: #@ image_pull_secret_name
5377
namespace: #@ namespace.name
5478
annotations:
5579
secretgen.carvel.dev/image-pull-secret: ""
@@ -58,22 +82,19 @@ type: kubernetes.io/dockerconfigjson
5882
data:
5983
.dockerconfigjson: e30K
6084

61-
#! Git
85+
#! OCI Registry
6286

63-
#@ if/end is_git_config_available():
87+
#@ if/end is_oci_registry_secret_available():
6488
---
65-
apiVersion: v1
66-
kind: Secret
89+
apiVersion: secretgen.carvel.dev/v1alpha1
90+
kind: SecretImport
6791
metadata:
68-
name: #@ data.values.git.secret.name
92+
name: #@ data.values.oci_registry.secret.name
6993
namespace: #@ namespace.name
7094
annotations:
71-
tekton.dev/git-0: #@ data.values.git.server
7295
kapp.k14s.io/create-strategy: fallback-on-update
73-
type: kubernetes.io/basic-auth
74-
stringData:
75-
username: #@ data.values.git.credentials.username
76-
password: #@ data.values.git.credentials.password
96+
spec:
97+
fromNamespace: #@ data.values.oci_registry.secret.namespace
7798

7899
#! Cosign
79100

@@ -89,6 +110,21 @@ metadata:
89110
spec:
90111
fromNamespace: #@ data.values.cosign.secret.namespace
91112

113+
#! Git
114+
115+
#@ if/end is_git_secret_available():
116+
---
117+
apiVersion: secretgen.carvel.dev/v1alpha1
118+
kind: SecretImport
119+
metadata:
120+
name: #@ data.values.git.secret.name
121+
namespace: #@ namespace.name
122+
annotations:
123+
tekton.dev/git-0: #@ data.values.git.server
124+
kapp.k14s.io/create-strategy: fallback-on-update
125+
spec:
126+
fromNamespace: #@ data.values.git.secret.namespace
127+
92128
#! RBAC
93129

94130
---
@@ -100,12 +136,15 @@ metadata:
100136
annotations:
101137
kapp.k14s.io/create-strategy: fallback-on-update
102138
secrets:
139+
#@ if/end is_oci_registry_secret_available():
103140
- name: #@ data.values.oci_registry.secret.name
104-
#@ if/end is_git_config_available():
105-
- name: #@ data.values.git.secret.name
106141
#@ if/end is_cosign_secret_available():
107142
- name: #@ data.values.cosign.secret.name
143+
#@ if/end is_git_secret_available():
144+
- name: #@ data.values.git.secret.name
108145
imagePullSecrets:
146+
- name: #@ image_pull_secret_name
147+
#@ if/end is_oci_registry_secret_available():
109148
- name: #@ data.values.oci_registry.secret.name
110149

111150
---

package/config/values-schema.yml

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,8 @@ oci_registry:
1414
#@schema/desc "Configuration for the Secret holding the credentials to access the OCI registry."
1515
secret:
1616
#@schema/desc "The name of the Secret holding the credentials to access the OCI registry."
17-
#@schema/validation min_len=1
1817
name: ""
1918
#@schema/desc "The namespace of the Secret holding the credentials to access the OCI registry."
20-
#@schema/validation min_len=1
2119
namespace: ""
2220

2321
#@schema/desc "Settings for Cosign, used for signing and verifying OCI artifacts."
@@ -32,15 +30,10 @@ cosign:
3230
#@schema/desc "Configuration to access the Git repositories used in the GitOps workflows."
3331
git:
3432
#@schema/desc "The Git server hosting the Git repositories used in the GitOps workflows."
35-
server: https://github.com
36-
#@schema/desc "Configuration for Git credentials."
37-
credentials:
38-
#@schema/desc "The username to access the Git repositories."
39-
username: ""
40-
#@schema/desc "The password to access the Git repositories."
41-
password: ""
33+
server: "https://github.com"
4234
#@schema/desc "Configuration for the Secret holding the Git credentials."
4335
secret:
4436
#@schema/desc "The name of the Secret holding the Git credentials."
45-
#@schema/validation when=lambda _, ctx: ctx.root["git"]["credentials"]["username"] != "" and ctx.root["git"]["credentials"]["password"] != ""
46-
name: supply-chain-git-credentials
37+
name: ""
38+
#@schema/desc "The namespace of the Secret holding the Git credentials."
39+
namespace: ""
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# Namespace
2+
---
3+
apiVersion: v1
4+
kind: Namespace
5+
metadata:
6+
name: kadras-packages
7+
8+
#! OCI Registry
9+
10+
---
11+
apiVersion: v1
12+
kind: Secret
13+
metadata:
14+
name: supply-chain-registry-credentials
15+
namespace: kadras-packages
16+
type: kubernetes.io/dockerconfigjson
17+
data:
18+
.dockerconfigjson: e30K
19+
20+
#! Cosign
21+
22+
---
23+
apiVersion: v1
24+
kind: Secret
25+
metadata:
26+
name: supply-chain-cosign-key-pair
27+
namespace: kadras-packages
28+
stringData:
29+
cosign.key: key
30+
cosign.password: pass
31+
cosign.pub: pub
32+
33+
#! Git
34+
35+
---
36+
apiVersion: v1
37+
kind: Secret
38+
metadata:
39+
name: supply-chain-git-credentials
40+
namespace: kadras-packages
41+
stringData:
42+
username: user
43+
password: pass

test/integration/default/00-assert.yaml renamed to test/integration/default/01-assert.yaml

Lines changed: 39 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,18 +7,52 @@ metadata:
77
annotations:
88
kapp.k14s.io/create-strategy: fallback-on-update
99

10-
#! OCI Registry
10+
#! Image Pull Placeholder Secret
1111
---
1212
apiVersion: v1
1313
kind: Secret
1414
metadata:
15-
name: supply-chain-registry-credentials
15+
name: canonical-registry-credentials
1616
namespace: test-default
1717
annotations:
1818
secretgen.carvel.dev/image-pull-secret: ""
1919
kapp.k14s.io/create-strategy: fallback-on-update
2020
type: kubernetes.io/dockerconfigjson
2121

22+
#! OCI Registry
23+
24+
---
25+
apiVersion: v1
26+
kind: Secret
27+
metadata:
28+
name: supply-chain-registry-credentials
29+
namespace: test-default
30+
annotations:
31+
kapp.k14s.io/create-strategy: fallback-on-update
32+
33+
#! Cosign
34+
35+
---
36+
apiVersion: v1
37+
kind: Secret
38+
metadata:
39+
name: supply-chain-cosign-key-pair
40+
namespace: test-default
41+
annotations:
42+
kapp.k14s.io/create-strategy: fallback-on-update
43+
44+
#! Git
45+
46+
---
47+
apiVersion: v1
48+
kind: Secret
49+
metadata:
50+
name: supply-chain-git-credentials
51+
namespace: test-default
52+
annotations:
53+
tekton.dev/git-0: https://github.com
54+
kapp.k14s.io/create-strategy: fallback-on-update
55+
2256
#! RBAC
2357
---
2458
apiVersion: v1
@@ -30,7 +64,10 @@ metadata:
3064
kapp.k14s.io/create-strategy: fallback-on-update
3165
secrets:
3266
- name: supply-chain-registry-credentials
67+
- name: supply-chain-cosign-key-pair
68+
- name: supply-chain-git-credentials
3369
imagePullSecrets:
70+
- name: canonical-registry-credentials
3471
- name: supply-chain-registry-credentials
3572

3673
---

0 commit comments

Comments
 (0)