From 48b27b2b5e0e311c63b4aab8f40abb1a5aad740f Mon Sep 17 00:00:00 2001 From: Yuwen Ma Date: Mon, 29 Aug 2022 16:27:07 -0700 Subject: [PATCH] Add porch installation and Config sync installation from porch --- infra/environment/project.yaml | 1 - ...nfig.porch.kpt.dev_remoterootsyncsets.yaml | 296 ++++++++++++++ .../config.porch.kpt.dev_repositories.yaml | 372 ++++++++++++++++++ .../config.porch.kpt.dev_rootsyncsets.yaml | 192 +++++++++ ...orch.kpt.dev_workloadidentitybindings.yaml | 167 ++++++++ .../from-configsync/remoteRootSyncSet.yaml | 15 + infra/porch/from-configsync/rootSyncSet.yaml | 19 + infra/porch/from-yaml/crds/Kptfile | 18 + ...nfig.porch.kpt.dev_remoterootsyncsets.yaml | 209 ++++++++++ .../config.porch.kpt.dev_rootsyncsets.yaml | 147 +++++++ ...orch.kpt.dev_workloadidentitybindings.yaml | 121 ++++++ .../from-yaml/orchestrator/1-namespace.yaml | 27 ++ .../orchestrator/2-function-runner.yaml | 116 ++++++ .../orchestrator/3-porch-server.yaml | 81 ++++ .../from-yaml/orchestrator/4-apiservice.yaml | 29 ++ .../porch/from-yaml/orchestrator/5-rbac.yaml | 63 +++ .../from-yaml/orchestrator/6-rbac-bind.yaml | 60 +++ .../from-yaml/orchestrator/7-auth-reader.yaml | 29 ++ .../orchestrator/8-auth-delegator.yaml | 28 ++ .../from-yaml/orchestrator/9-controllers.yaml | 127 ++++++ infra/porch/from-yaml/orchestrator/Kptfile | 20 + infra/porch/from-yaml/rbac/Kptfile | 18 + infra/porch/from-yaml/rbac/role.yaml | 105 +++++ .../from-yaml/ui/1-namespace-backstage.yaml | 17 + infra/porch/from-yaml/ui/2-secret.yaml | 10 + infra/porch/from-yaml/ui/3-deployment.yaml | 47 +++ 26 files changed, 2333 insertions(+), 1 deletion(-) create mode 100644 infra/porch/crds/config.porch.kpt.dev_remoterootsyncsets.yaml create mode 100644 infra/porch/crds/config.porch.kpt.dev_repositories.yaml create mode 100644 infra/porch/crds/config.porch.kpt.dev_rootsyncsets.yaml create mode 100644 infra/porch/crds/config.porch.kpt.dev_workloadidentitybindings.yaml create mode 100644 infra/porch/from-configsync/remoteRootSyncSet.yaml create mode 100644 infra/porch/from-configsync/rootSyncSet.yaml create mode 100644 infra/porch/from-yaml/crds/Kptfile create mode 100644 infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml create mode 100644 infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml create mode 100644 infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml create mode 100644 infra/porch/from-yaml/orchestrator/1-namespace.yaml create mode 100644 infra/porch/from-yaml/orchestrator/2-function-runner.yaml create mode 100644 infra/porch/from-yaml/orchestrator/3-porch-server.yaml create mode 100644 infra/porch/from-yaml/orchestrator/4-apiservice.yaml create mode 100644 infra/porch/from-yaml/orchestrator/5-rbac.yaml create mode 100644 infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml create mode 100644 infra/porch/from-yaml/orchestrator/7-auth-reader.yaml create mode 100644 infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml create mode 100644 infra/porch/from-yaml/orchestrator/9-controllers.yaml create mode 100644 infra/porch/from-yaml/orchestrator/Kptfile create mode 100644 infra/porch/from-yaml/rbac/Kptfile create mode 100644 infra/porch/from-yaml/rbac/role.yaml create mode 100644 infra/porch/from-yaml/ui/1-namespace-backstage.yaml create mode 100644 infra/porch/from-yaml/ui/2-secret.yaml create mode 100644 infra/porch/from-yaml/ui/3-deployment.yaml diff --git a/infra/environment/project.yaml b/infra/environment/project.yaml index 18ac42d..09f875e 100644 --- a/infra/environment/project.yaml +++ b/infra/environment/project.yaml @@ -21,7 +21,6 @@ spec: displayName: packagename folderRef: name: environments - namepace: environments-ns --- diff --git a/infra/porch/crds/config.porch.kpt.dev_remoterootsyncsets.yaml b/infra/porch/crds/config.porch.kpt.dev_remoterootsyncsets.yaml new file mode 100644 index 0000000..8966c0b --- /dev/null +++ b/infra/porch/crds/config.porch.kpt.dev_remoterootsyncsets.yaml @@ -0,0 +1,296 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: remoterootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RemoteRootSyncSet + listKind: RemoteRootSyncSetList + plural: remoterootsyncsets + singular: remoterootsyncset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.aggregated.applied + name: AppliedCount + type: integer + - jsonPath: .status.aggregated.ready + name: ReadyCount + type: integer + - jsonPath: .status.aggregated.total + name: Total + type: integer + - jsonPath: .status.aggregated.conditions[?(@.type=='Applied')].reason + name: Applied + type: string + - jsonPath: .status.aggregated.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: "RemoteRootSyncSet represents applying a package to multiple + target clusters. In future, this should use ConfigSync, but while we're + iterating on OCI/porch support, and making a few similar iterations (e.g. + what feedback do we need for rollout), we're just applying directly to the + target cluster(s). \n We follow the \"managed remote objects\" pattern; + we don't want to create a mirror object, so we start with the \"ReplicaSet\" + of Pod/ReplicaSet/Deployment. \n spec.clusterRefs specifies the target clusters + \n spec.template maps to the spec of our \"Pod\", in this case a ConfigSync + RootSync/RepoSync. Because we're not actually using ConfigSync in this prototype, + we are only defining a small subset of fields." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RemoteRootSyncSetSpec defines the desired state of RemoteRootSync + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: array + template: + properties: + oci: + description: Git *GitInfo `json:"git,omitempty"` + properties: + repository: + type: string + type: object + sourceFormat: + type: string + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + aggregated: + properties: + applied: + format: int32 + type: integer + conditions: + description: Conditions describes the reconciliation state of + the object. + items: + description: "Condition contains details for one aspect of the + current state of this API Resource. --- This struct is intended + for direct use as an array at the field path .status.conditions. + \ For example, type FooStatus struct{ // Represents the observations + of a foo's current state. // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type + // +patchStrategy=merge // +listType=map // +listMapKey=type + Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be + when the underlying condition changed. If that is not + known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if + .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values + and meanings for this field, and whether the values are + considered a guaranteed API. The value should be a CamelCase + string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + format: int32 + type: integer + total: + format: int32 + type: integer + required: + - applied + - ready + - total + type: object + targets: + items: + properties: + conditions: + description: Conditions describes the reconciliation state of + the object. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ref: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/crds/config.porch.kpt.dev_repositories.yaml b/infra/porch/crds/config.porch.kpt.dev_repositories.yaml new file mode 100644 index 0000000..a38433a --- /dev/null +++ b/infra/porch/crds/config.porch.kpt.dev_repositories.yaml @@ -0,0 +1,372 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: repositories.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: Repository + listKind: RepositoryList + plural: repositories + singular: repository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.type + name: Type + type: string + - jsonPath: .spec.content + name: Content + type: string + - jsonPath: .spec.deployment + name: Deployment + type: boolean + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - jsonPath: .spec['git','oci']['repo','registry'] + name: Address + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Repository + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "RepositorySpec defines the desired state of Repository \n + Notes: - deployment repository - in KRM API ConfigSync would be configured + directly? (or via this API)" + properties: + content: + description: 'Content stored in the repository (i.e. Function, Package + - the literal values correspond to the API resource names). TODO: + support repository with mixed content?' + type: string + deployment: + description: The repository is a deployment repository; final packages + in this repository are deployment ready. + type: boolean + description: + description: User-friendly description of the repository + type: string + git: + description: Git repository details. Required if `type` is `git`. + Ignored if `type` is not `git`. + properties: + branch: + description: Name of the branch containing the packages. Finalized + packages will be committed to this branch (if the repository + allows write access). If unspecified, defaults to "main". + type: string + createBranch: + description: CreateBranch specifies if Porch should create the + package branch if it doesn't exist. + type: boolean + directory: + description: Directory within the Git repository where the packages + are stored. A subdirectory of this directory containing a Kptfile + is considered a package. If unspecified, defaults to root directory. + type: string + repo: + description: 'Address of the Git repository, for example: `https://github.com/GoogleCloudPlatform/blueprints.git`' + type: string + secretRef: + description: Reference to secret containing authentication credentials. + properties: + name: + description: Name of the secret. The secret is expected to + be located in the same namespace as the resource containing + the reference. + type: string + required: + - name + type: object + required: + - repo + type: object + mutators: + description: '`Mutators` specifies list of functions to be added to + the list of package''s mutators on changes to the packages in the + repository to ensure the packages meet constraints enforced by the + mutators associated with the repository. Based on the Kubernetest + Admission Controllers (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). + The functions will be evaluated in the order specified in the list.' + items: + properties: + configMap: + additionalProperties: + type: string + description: '`ConfigMap` specifies the function config (https://kpt.dev/reference/cli/fn/eval/).' + type: object + functionRef: + description: '`FunctionRef` specifies the function by reference + to a Function resource. Mutually exclusive with `Image`.' + properties: + name: + description: '`Name` is the name of the `Function` resource + referenced. The resource is expected to be within the + same namespace.' + type: string + required: + - name + type: object + image: + description: '`Image` specifies the function image, such as + `gcr.io/kpt-fn/gatekeeper:v0.2`. Use of `Image` is mutually + exclusive with `FunctionRef`.' + type: string + type: object + type: array + oci: + description: OCI repository details. Required if `type` is `oci`. + Ignored if `type` is not `oci`. + properties: + registry: + description: Registry is the address of the OCI registry + type: string + secretRef: + description: Reference to secret containing authentication credentials. + properties: + name: + description: Name of the secret. The secret is expected to + be located in the same namespace as the resource containing + the reference. + type: string + required: + - name + type: object + required: + - registry + type: object + type: + description: Type of the repository (i.e. git, OCI) + type: string + upstream: + description: Upstream is the default upstream repository for packages + in this repository. Specifying it per repository allows simpler + UX when creating packages. + properties: + git: + description: Git repository details. Required if `type` is `git`. + Must be unspecified if `type` is not `git`. + properties: + branch: + description: Name of the branch containing the packages. Finalized + packages will be committed to this branch (if the repository + allows write access). If unspecified, defaults to "main". + type: string + createBranch: + description: CreateBranch specifies if Porch should create + the package branch if it doesn't exist. + type: boolean + directory: + description: Directory within the Git repository where the + packages are stored. A subdirectory of this directory containing + a Kptfile is considered a package. If unspecified, defaults + to root directory. + type: string + repo: + description: 'Address of the Git repository, for example: + `https://github.com/GoogleCloudPlatform/blueprints.git`' + type: string + secretRef: + description: Reference to secret containing authentication + credentials. + properties: + name: + description: Name of the secret. The secret is expected + to be located in the same namespace as the resource + containing the reference. + type: string + required: + - name + type: object + required: + - repo + type: object + oci: + description: OCI repository details. Required if `type` is `oci`. + Must be unspecified if `type` is not `oci`. + properties: + registry: + description: Registry is the address of the OCI registry + type: string + secretRef: + description: Reference to secret containing authentication + credentials. + properties: + name: + description: Name of the secret. The secret is expected + to be located in the same namespace as the resource + containing the reference. + type: string + required: + - name + type: object + required: + - registry + type: object + repositoryRef: + description: RepositoryRef contains a reference to an existing + Repository resource to be used as the default upstream repository. + properties: + name: + description: Name of the Repository resource referenced. + type: string + required: + - name + type: object + type: + description: Type of the repository (i.e. git, OCI). If empty, + repositoryRef will be used. + type: string + type: object + validators: + description: '`Validators` specifies list of functions to be added + to the list of package''s validators on changes to the packages + in the repository to ensure the packages meet constraints enforced + by the validators associated with the repository. Based on the Kubernetest + Admission Controllers (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). + The functions will be evaluated in the order specified in the list.' + items: + properties: + configMap: + additionalProperties: + type: string + description: '`ConfigMap` specifies the function config (https://kpt.dev/reference/cli/fn/eval/).' + type: object + functionRef: + description: '`FunctionRef` specifies the function by reference + to a Function resource. Mutually exclusive with `Image`.' + properties: + name: + description: '`Name` is the name of the `Function` resource + referenced. The resource is expected to be within the + same namespace.' + type: string + required: + - name + type: object + image: + description: '`Image` specifies the function image, such as + `gcr.io/kpt-fn/gatekeeper:v0.2`. Use of `Image` is mutually + exclusive with `FunctionRef`.' + type: string + type: object + type: array + type: object + status: + description: RepositoryStatus defines the observed state of Repository + properties: + conditions: + description: Conditions describes the reconciliation state of the + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/crds/config.porch.kpt.dev_rootsyncsets.yaml b/infra/porch/crds/config.porch.kpt.dev_rootsyncsets.yaml new file mode 100644 index 0000000..2ac1a38 --- /dev/null +++ b/infra/porch/crds/config.porch.kpt.dev_rootsyncsets.yaml @@ -0,0 +1,192 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: rootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RootSyncSet + listKind: RootSyncSetList + plural: rootsyncsets + singular: rootsyncset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RootSyncSet is the Schema for the rootsyncsets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RootSyncSetSpec defines the desired state of RootSyncSet + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - namespace + type: object + type: array + template: + properties: + spec: + properties: + git: + properties: + auth: + type: string + branch: + type: string + dir: + type: string + gcpServiceAccountEmail: + type: string + noSSLVerify: + type: boolean + period: + type: string + proxy: + type: string + repo: + type: string + revision: + type: string + secretRef: + description: SecretReference contains the reference to + the secret used to connect to Git source of truth. + properties: + name: + description: Name represents the secret name. + type: string + type: object + required: + - auth + - repo + type: object + sourceFormat: + type: string + type: object + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + conditions: + description: Conditions describes the reconciliation state of the + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/crds/config.porch.kpt.dev_workloadidentitybindings.yaml b/infra/porch/crds/config.porch.kpt.dev_workloadidentitybindings.yaml new file mode 100644 index 0000000..645e231 --- /dev/null +++ b/infra/porch/crds/config.porch.kpt.dev_workloadidentitybindings.yaml @@ -0,0 +1,167 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: workloadidentitybindings.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: WorkloadIdentityBinding + listKind: WorkloadIdentityBindingList + plural: workloadidentitybindings + singular: workloadidentitybinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WorkloadIdentityBinding + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkloadIdentityBindingSpec defines the desired state of + RemoteRootSync + properties: + resourceRef: + properties: + apiVersion: + type: string + external: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + serviceAccountRef: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + status: + description: WorkloadIdentityBindingStatus defines the observed state + of WorkloadIdentityBinding + properties: + conditions: + description: Conditions describes the reconciliation state of the + object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-configsync/remoteRootSyncSet.yaml b/infra/porch/from-configsync/remoteRootSyncSet.yaml new file mode 100644 index 0000000..26ddd4c --- /dev/null +++ b/infra/porch/from-configsync/remoteRootSyncSet.yaml @@ -0,0 +1,15 @@ +apiVersion: config.porch.kpt.dev/v1alpha1 +kind: RemoteRootSyncSet +metadata: + name: porch-install + namespace: dev +spec: + clusterRefs: + - apiVersion: container.cnrm.cloud.google.com/v1beta1 + kind: ContainerCluster + name: us-central1 + namespace: dev + template: + sourceFormat: unstructured + oci: + repository: gcr.io/yuwenma-gke-catalyst-goog-rlol/porch:v0.1 diff --git a/infra/porch/from-configsync/rootSyncSet.yaml b/infra/porch/from-configsync/rootSyncSet.yaml new file mode 100644 index 0000000..c76eadf --- /dev/null +++ b/infra/porch/from-configsync/rootSyncSet.yaml @@ -0,0 +1,19 @@ +apiVersion: config.porch.kpt.dev/v1alpha1 +kind: RootSyncSet +metadata: + name: porch-install + namespace: dev +spec: + clusterRefs: + - apiVersion: container.cnrm.cloud.google.com/v1beta1 + kind: ContainerCluster + name: us-central1 + namespace: dev + template: + spec: + sourceFormat: unstructured + git: + auth: none + repo: http://github.com/GoogleContainerTools/kpt-samples.git + branch: dogfood-porch-installation + dir: infra/porch/from-yaml diff --git a/infra/porch/from-yaml/crds/Kptfile b/infra/porch/from-yaml/crds/Kptfile new file mode 100644 index 0000000..078d4ed --- /dev/null +++ b/infra/porch/from-yaml/crds/Kptfile @@ -0,0 +1,18 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: crds +upstream: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/crd/bases + ref: porch/v0.0.9 + updateStrategy: resource-merge +upstreamLock: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/crd/bases + ref: porch/v0.0.9 + commit: 1c7ebea5b4c9f41321ed28126f8b2b8ff71aba71 diff --git a/infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml b/infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml new file mode 100644 index 0000000..c76ace4 --- /dev/null +++ b/infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml @@ -0,0 +1,209 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /remoterootsyncsets.config.porch.kpt.dev + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + internal.kpt.dev/upstream-identifier: 'apiextensions.k8s.io|CustomResourceDefinition|default|remoterootsyncsets.config.porch.kpt.dev' + creationTimestamp: null + name: remoterootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RemoteRootSyncSet + listKind: RemoteRootSyncSetList + plural: remoterootsyncsets + singular: remoterootsyncset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.aggregated.applied + name: AppliedCount + type: integer + - jsonPath: .status.aggregated.ready + name: ReadyCount + type: integer + - jsonPath: .status.aggregated.total + name: Total + type: integer + - jsonPath: .status.aggregated.conditions[?(@.type=='Applied')].reason + name: Applied + type: string + - jsonPath: .status.aggregated.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: "RemoteRootSyncSet represents applying a package to multiple target clusters. In future, this should use ConfigSync, but while we're iterating on OCI/porch support, and making a few similar iterations (e.g. what feedback do we need for rollout), we're just applying directly to the target cluster(s). \n We follow the \"managed remote objects\" pattern; we don't want to create a mirror object, so we start with the \"ReplicaSet\" of Pod/ReplicaSet/Deployment. \n spec.clusterRefs specifies the target clusters \n spec.template maps to the spec of our \"Pod\", in this case a ConfigSync RootSync/RepoSync. Because we're not actually using ConfigSync in this prototype, we are only defining a small subset of fields." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RemoteRootSyncSetSpec defines the desired state of RemoteRootSync + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: array + template: + properties: + oci: + description: Git *GitInfo `json:"git,omitempty"` + properties: + repository: + type: string + type: object + sourceFormat: + type: string + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + aggregated: + properties: + applied: + format: int32 + type: integer + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + format: int32 + type: integer + total: + format: int32 + type: integer + required: + - applied + - ready + - total + type: object + targets: + items: + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ref: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml b/infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml new file mode 100644 index 0000000..17e2604 --- /dev/null +++ b/infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml @@ -0,0 +1,147 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /rootsyncsets.config.porch.kpt.dev + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + internal.kpt.dev/upstream-identifier: 'apiextensions.k8s.io|CustomResourceDefinition|default|rootsyncsets.config.porch.kpt.dev' + creationTimestamp: null + name: rootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RootSyncSet + listKind: RootSyncSetList + plural: rootsyncsets + singular: rootsyncset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RootSyncSet is the Schema for the rootsyncsets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RootSyncSetSpec defines the desired state of RootSyncSet + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - namespace + type: object + type: array + template: + properties: + spec: + properties: + git: + properties: + auth: + type: string + branch: + type: string + dir: + type: string + gcpServiceAccountEmail: + type: string + noSSLVerify: + type: boolean + period: + type: string + proxy: + type: string + repo: + type: string + revision: + type: string + secretRef: + description: SecretReference contains the reference to the secret used to connect to Git source of truth. + properties: + name: + description: Name represents the secret name. + type: string + type: object + required: + - auth + - repo + type: object + sourceFormat: + type: string + type: object + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml b/infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml new file mode 100644 index 0000000..9267489 --- /dev/null +++ b/infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml @@ -0,0 +1,121 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /workloadidentitybindings.config.porch.kpt.dev + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + internal.kpt.dev/upstream-identifier: 'apiextensions.k8s.io|CustomResourceDefinition|default|workloadidentitybindings.config.porch.kpt.dev' + creationTimestamp: null + name: workloadidentitybindings.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: WorkloadIdentityBinding + listKind: WorkloadIdentityBindingList + plural: workloadidentitybindings + singular: workloadidentitybinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WorkloadIdentityBinding + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkloadIdentityBindingSpec defines the desired state of RemoteRootSync + properties: + resourceRef: + properties: + apiVersion: + type: string + external: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + serviceAccountRef: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + status: + description: WorkloadIdentityBindingStatus defines the observed state of WorkloadIdentityBinding + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/orchestrator/1-namespace.yaml b/infra/porch/from-yaml/orchestrator/1-namespace.yaml new file mode 100644 index 0000000..f92f2aa --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/1-namespace.yaml @@ -0,0 +1,27 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: # kpt-merge: /porch-system + name: porch-system + annotations: + internal.kpt.dev/upstream-identifier: '|Namespace|default|porch-system' +--- +apiVersion: v1 +kind: Namespace +metadata: # kpt-merge: /porch-fn-system + name: porch-fn-system + annotations: + internal.kpt.dev/upstream-identifier: '|Namespace|default|porch-fn-system' diff --git a/infra/porch/from-yaml/orchestrator/2-function-runner.yaml b/infra/porch/from-yaml/orchestrator/2-function-runner.yaml new file mode 100644 index 0000000..de7d89c --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/2-function-runner.yaml @@ -0,0 +1,116 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ServiceAccount +apiVersion: v1 +metadata: # kpt-merge: porch-system/porch-fn-runner + name: porch-fn-runner + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: '|ServiceAccount|porch-system|porch-fn-runner' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: # kpt-merge: porch-system/function-runner + name: function-runner + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: 'apps|Deployment|porch-system|function-runner' +spec: + replicas: 2 + selector: + matchLabels: + app: function-runner + template: + metadata: + labels: + app: function-runner + spec: + serviceAccountName: porch-fn-runner + containers: + - name: function-runner + image: gcr.io/kpt-dev/porch-function-runner:v0.0.9 + imagePullPolicy: IfNotPresent + command: + - /server + - --config=/config.yaml + - --functions=/functions + - --pod-namespace=porch-fn-system + env: + - name: WRAPPER_SERVER_IMAGE + value: gcr.io/kpt-dev/porch-wrapper-server:v0.0.9 + ports: + - containerPort: 9445 + # Add grpc readiness probe to ensure the cache is ready + readinessProbe: + exec: + command: + - /grpc-health-probe + - -addr + - localhost:9445 + resources: + requests: + memory: "64Mi" + cpu: "125m" + volumeMounts: + - mountPath: /pod-cache-config + name: pod-cache-config-volume + volumes: + - name: pod-cache-config-volume + configMap: + name: pod-cache-config +--- +apiVersion: v1 +kind: Service +metadata: # kpt-merge: porch-system/function-runner + name: function-runner + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: '|Service|porch-system|function-runner' +spec: + selector: + app: function-runner + ports: + - port: 9445 + protocol: TCP + targetPort: 9445 +--- +apiVersion: v1 +kind: ConfigMap +metadata: # kpt-merge: porch-system/pod-cache-config + name: pod-cache-config + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: '|ConfigMap|porch-system|pod-cache-config' +data: + pod-cache-config.yaml: | + gcr.io/kpt-fn/apply-replacements:v0.1.1: 30m + gcr.io/kpt-fn/apply-setters:v0.2.0: 30m + gcr.io/kpt-fn/create-setters:v0.1.0: 30m + gcr.io/kpt-fn/ensure-name-substring:v0.2.0: 30m + gcr.io/kpt-fn/gatekeeper:v0.2.1: 30m + gcr.io/kpt-fn/kubeval:v0.2.0: 30m + gcr.io/kpt-fn/search-replace:v0.2.0: 30m + gcr.io/kpt-fn/set-annotations:v0.1.4: 30m + gcr.io/kpt-fn/set-enforcement-action:v0.1.0: 30m + gcr.io/kpt-fn/set-image:v0.1.1: 30m + gcr.io/kpt-fn/set-labels:v0.1.5: 30m + gcr.io/kpt-fn/set-namespace:v0.4.1: 30m + gcr.io/kpt-fn/starlark:v0.4.3: 30m + gcr.io/kpt-fn/upsert-resource:v0.2.0: 30m + gcr.io/kpt-fn/enable-gcp-services:v0.1.0: 30m + gcr.io/kpt-fn/export-terraform:v0.1.0: 30m + gcr.io/kpt-fn/generate-folders:v0.1.1: 30m + gcr.io/kpt-fn/remove-local-config-resources:v0.1.0: 30m + gcr.io/kpt-fn/set-project-id:v0.2.0: 30m diff --git a/infra/porch/from-yaml/orchestrator/3-porch-server.yaml b/infra/porch/from-yaml/orchestrator/3-porch-server.yaml new file mode 100644 index 0000000..1ad6ac9 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/3-porch-server.yaml @@ -0,0 +1,81 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ServiceAccount +apiVersion: v1 +metadata: # kpt-merge: porch-system/porch-server + name: porch-server + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: '|ServiceAccount|porch-system|porch-server' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: # kpt-merge: porch-system/porch-server + name: porch-server + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: 'apps|Deployment|porch-system|porch-server' +spec: + replicas: 1 + selector: + matchLabels: + app: porch-server + template: + metadata: + labels: + app: porch-server + spec: + serviceAccountName: porch-server + volumes: + - name: cache-volume + emptyDir: {} + containers: + - name: porch-server + # Update image to the image of your porch apiserver build. + image: gcr.io/kpt-dev/porch-server:v0.0.9 + imagePullPolicy: IfNotPresent + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "512Mi" + volumeMounts: + - mountPath: /cache + name: cache-volume + env: + # Uncomment to enable trace-reporting to jaeger + #- name: OTEL + # value: otel://jaeger-oltp:4317 + - name: OTEL_SERVICE_NAME + value: porch-server + args: + - --function-runner=function-runner:9445 + - --cache-directory=/cache +--- +apiVersion: v1 +kind: Service +metadata: # kpt-merge: porch-system/api + name: api + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: '|Service|porch-system|api' +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 443 + selector: + app: porch-server diff --git a/infra/porch/from-yaml/orchestrator/4-apiservice.yaml b/infra/porch/from-yaml/orchestrator/4-apiservice.yaml new file mode 100644 index 0000000..9cd745f --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/4-apiservice.yaml @@ -0,0 +1,29 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: # kpt-merge: /v1alpha1.porch.kpt.dev + name: v1alpha1.porch.kpt.dev + annotations: + internal.kpt.dev/upstream-identifier: 'apiregistration.k8s.io|APIService|default|v1alpha1.porch.kpt.dev' +spec: + insecureSkipTLSVerify: true + group: porch.kpt.dev + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: api + namespace: porch-system + version: v1alpha1 diff --git a/infra/porch/from-yaml/orchestrator/5-rbac.yaml b/infra/porch/from-yaml/orchestrator/5-rbac.yaml new file mode 100644 index 0000000..45d902b --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/5-rbac.yaml @@ -0,0 +1,63 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: # kpt-merge: /aggregated-apiserver-clusterrole + name: aggregated-apiserver-clusterrole + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|ClusterRole|default|aggregated-apiserver-clusterrole' +rules: + - apiGroups: [""] + resources: ["namespaces", "secrets"] + verbs: ["get", "watch", "list"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "watch", "list"] + - apiGroups: ["config.porch.kpt.dev"] + resources: ["repositories", "repositories/status"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + # Needed for priority and fairness + - apiGroups: ["flowcontrol.apiserver.k8s.io"] + resources: ["flowschemas", "prioritylevelconfigurations"] + verbs: ["get", "watch", "list"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: # kpt-merge: porch-system/aggregated-apiserver-role + name: aggregated-apiserver-role + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|Role|porch-system|aggregated-apiserver-role' +rules: + # Needed for workload identity + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get"] + - apiGroups: [""] + resources: ["serviceaccounts/token"] + verbs: ["create"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: # kpt-merge: porch-fn-system/porch-function-executor + name: porch-function-executor + namespace: porch-fn-system + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|Role|porch-fn-system|porch-function-executor' +rules: + # Needed to launch / read function executor pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create", "delete", "patch", "get", "watch", "list"] diff --git a/infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml b/infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml new file mode 100644 index 0000000..d0094d4 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml @@ -0,0 +1,60 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: # kpt-merge: /sample-apiserver-clusterrolebinding + name: sample-apiserver-clusterrolebinding + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|ClusterRoleBinding|default|sample-apiserver-clusterrolebinding' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aggregated-apiserver-clusterrole +subjects: + - kind: ServiceAccount + name: porch-server + namespace: porch-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: porch-system/sample-apiserver-rolebinding + name: sample-apiserver-rolebinding + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|RoleBinding|porch-system|sample-apiserver-rolebinding' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: aggregated-apiserver-role +subjects: + - kind: ServiceAccount + name: porch-server + namespace: porch-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: porch-fn-system/porch-function-executor + name: porch-function-executor + namespace: porch-fn-system + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|RoleBinding|porch-fn-system|porch-function-executor' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: porch-function-executor +subjects: + - kind: ServiceAccount + name: porch-fn-runner + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/7-auth-reader.yaml b/infra/porch/from-yaml/orchestrator/7-auth-reader.yaml new file mode 100644 index 0000000..f10b8c5 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/7-auth-reader.yaml @@ -0,0 +1,29 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: # kpt-merge: kube-system/porch-auth-reader + name: porch-auth-reader + namespace: kube-system + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|RoleBinding|kube-system|porch-auth-reader' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: porch-server + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml b/infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml new file mode 100644 index 0000000..2521a6d --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml @@ -0,0 +1,28 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: # kpt-merge: /porch:system:auth-delegator + name: porch:system:auth-delegator + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|ClusterRoleBinding|default|porch:system:auth-delegator' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: porch-server + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/9-controllers.yaml b/infra/porch/from-yaml/orchestrator/9-controllers.yaml new file mode 100644 index 0000000..65b7437 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/9-controllers.yaml @@ -0,0 +1,127 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ServiceAccount +apiVersion: v1 +metadata: # kpt-merge: porch-system/porch-controllers + name: porch-controllers + namespace: porch-system + annotations: + internal.kpt.dev/upstream-identifier: '|ServiceAccount|porch-system|porch-controllers' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: # kpt-merge: porch-system/porch-controllers + name: porch-controllers + namespace: porch-system + labels: + k8s-app: "porch-controllers" + annotations: + internal.kpt.dev/upstream-identifier: 'apps|Deployment|porch-system|porch-controllers' +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: "porch-controllers" + template: + metadata: + labels: + k8s-app: "porch-controllers" + spec: + serviceAccountName: porch-controllers + containers: + - name: porch-controllers + # Update to the image of your porch-controllers build. + image: gcr.io/kpt-dev/porch-controllers:v0.0.9 + env: + - name: GCP_PROJECT_ID + value: example-google-project-id + - name: HACK_ENABLE_LOOPBACK + value: "1" +--- +# TODO: Part of this is currently copied from porch/controller/config/rbac/role.yaml +# We should find a better solution. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: # kpt-merge: /porch-controllers + name: porch-controllers + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|ClusterRole|default|porch-controllers' +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["repositories"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["remoterootsyncsets"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["remoterootsyncsets/status"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["remoterootsyncsets/finalizers"] + verbs: ["update"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["rootsyncsets"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["rootsyncsets/status"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["rootsyncsets/finalizers"] + verbs: ["update"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["workloadidentitybindings"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["workloadidentitybindings/status"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +- apiGroups: ["config.porch.kpt.dev"] + resources: ["workloadidentitybindings/finalizers"] + verbs: ["update"] +- apiGroups: ["configcontroller.cnrm.cloud.google.com"] + resources: ["configcontrollerinstances"] + verbs: ["get", "list", "watch"] +- apiGroups: ["container.cnrm.cloud.google.com"] + resources: ["containerclusters"] + verbs: ["get", "list", "watch"] +- apiGroups: ["core.cnrm.cloud.google.com"] + resources: ["configconnectorcontexts"] + verbs: ["get", "list", "watch"] +- apiGroups: ["hub.gke.io"] + resources: ["memberships"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["serviceaccounts/token"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: # kpt-merge: /porch-system:porch-controllers + name: porch-system:porch-controllers + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|ClusterRoleBinding|default|porch-system:porch-controllers' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: porch-controllers +subjects: +- kind: ServiceAccount + name: porch-controllers + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/Kptfile b/infra/porch/from-yaml/orchestrator/Kptfile new file mode 100644 index 0000000..a91d60d --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/Kptfile @@ -0,0 +1,20 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: porch +upstream: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/deployments/porch + ref: porch/v0.0.9 + updateStrategy: resource-merge +upstreamLock: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/deployments/porch + ref: porch/v0.0.9 + commit: 1c7ebea5b4c9f41321ed28126f8b2b8ff71aba71 +info: + description: porch diff --git a/infra/porch/from-yaml/rbac/Kptfile b/infra/porch/from-yaml/rbac/Kptfile new file mode 100644 index 0000000..03d8af6 --- /dev/null +++ b/infra/porch/from-yaml/rbac/Kptfile @@ -0,0 +1,18 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: rbac +upstream: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/rbac + ref: porch/v0.0.9 + updateStrategy: resource-merge +upstreamLock: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/rbac + ref: porch/v0.0.9 + commit: 1c7ebea5b4c9f41321ed28126f8b2b8ff71aba71 diff --git a/infra/porch/from-yaml/rbac/role.yaml b/infra/porch/from-yaml/rbac/role.yaml new file mode 100644 index 0000000..e1f3e16 --- /dev/null +++ b/infra/porch/from-yaml/rbac/role.yaml @@ -0,0 +1,105 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: # kpt-merge: /porch-controllers + creationTimestamp: null + name: porch-controllers + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|ClusterRole|default|porch-controllers' +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets/status + verbs: + - get + - patch + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets/status + verbs: + - get + - patch + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings/status + verbs: + - get + - patch + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/infra/porch/from-yaml/ui/1-namespace-backstage.yaml b/infra/porch/from-yaml/ui/1-namespace-backstage.yaml new file mode 100644 index 0000000..3bf9ba2 --- /dev/null +++ b/infra/porch/from-yaml/ui/1-namespace-backstage.yaml @@ -0,0 +1,17 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Namespace +metadata: + name: backstage diff --git a/infra/porch/from-yaml/ui/2-secret.yaml b/infra/porch/from-yaml/ui/2-secret.yaml new file mode 100644 index 0000000..caaf035 --- /dev/null +++ b/infra/porch/from-yaml/ui/2-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cad-google-oauth-client + namespace: backstage +type: Opaque +stringData: + # create a OAUTH 2.0 in pantheon + client-id: TODO + client-secret: TODO diff --git a/infra/porch/from-yaml/ui/3-deployment.yaml b/infra/porch/from-yaml/ui/3-deployment.yaml new file mode 100644 index 0000000..2a13db0 --- /dev/null +++ b/infra/porch/from-yaml/ui/3-deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backstage + namespace: backstage +spec: + replicas: 1 + selector: + matchLabels: + app: backstage + template: + metadata: + labels: + app: backstage + spec: + containers: + - name: backstage + image: gcr.io/kpt-dev/kpt-backstage-plugins/backstage-plugin-cad:v0.1.1 + ports: + - name: http + containerPort: 7007 + env: + - name: AUTH_GOOGLE_CLIENT_ID + valueFrom: + secretKeyRef: + name: cad-google-oauth-client + key: client-id + optional: false + - name: AUTH_GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: cad-google-oauth-client + key: client-secret + optional: false +--- +apiVersion: v1 +kind: Service +metadata: + name: backstage + namespace: backstage +spec: + selector: + app: backstage + ports: + - name: http + port: 7007 + targetPort: http