From 32602a8ba613b7f6c49c10bfaf0e77df4aa0de04 Mon Sep 17 00:00:00 2001 From: Yuwen Ma Date: Mon, 29 Aug 2022 16:26:44 -0700 Subject: [PATCH 1/2] from justinsb/kpt-samples --- infra/environment/Kptfile | 13 ++++ infra/environment/README.md | 1 + infra/environment/folder.yaml | 10 +++ infra/environment/kcc.yaml | 105 +++++++++++++++++++++++++++ infra/environment/project.yaml | 58 +++++++++++++++ infra/environment/rbac.yaml | 32 ++++++++ infra/environment/services.yaml | 32 ++++++++ infra/gkecluster/Kptfile | 13 ++++ infra/gkecluster/README.md | 1 + infra/gkecluster/bindings.yaml | 30 ++++++++ infra/gkecluster/cluster.yaml | 49 +++++++++++++ infra/gkecluster/serviceaccount.yaml | 39 ++++++++++ 12 files changed, 383 insertions(+) create mode 100644 infra/environment/Kptfile create mode 100644 infra/environment/README.md create mode 100644 infra/environment/folder.yaml create mode 100644 infra/environment/kcc.yaml create mode 100644 infra/environment/project.yaml create mode 100644 infra/environment/rbac.yaml create mode 100644 infra/environment/services.yaml create mode 100644 infra/gkecluster/Kptfile create mode 100644 infra/gkecluster/README.md create mode 100644 infra/gkecluster/bindings.yaml create mode 100644 infra/gkecluster/cluster.yaml create mode 100644 infra/gkecluster/serviceaccount.yaml diff --git a/infra/environment/Kptfile b/infra/environment/Kptfile new file mode 100644 index 0000000..1ef8012 --- /dev/null +++ b/infra/environment/Kptfile @@ -0,0 +1,13 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: environment + annotations: + config.kubernetes.io/local-config: "true" +info: + description: environment +pipeline: + mutators: + - image: set-name-prefix + - image: generator-configconnectorcontext + - image: bind-gcp-resources diff --git a/infra/environment/README.md b/infra/environment/README.md new file mode 100644 index 0000000..5094355 --- /dev/null +++ b/infra/environment/README.md @@ -0,0 +1 @@ +# environment diff --git a/infra/environment/folder.yaml b/infra/environment/folder.yaml new file mode 100644 index 0000000..9529490 --- /dev/null +++ b/infra/environment/folder.yaml @@ -0,0 +1,10 @@ +# Create an environment folder to hold the new project. +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Folder +metadata: + name: environments + namespace: config-control +spec: + displayName: environments + folderRef: + name: root \ No newline at end of file diff --git a/infra/environment/kcc.yaml b/infra/environment/kcc.yaml new file mode 100644 index 0000000..2168b35 --- /dev/null +++ b/infra/environment/kcc.yaml @@ -0,0 +1,105 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: packagename + annotations: + cnrm.cloud.google.com/project-id: googleprojectid + +--- + +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnectorContext +metadata: + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: packagename +spec: + googleServiceAccount: cc-robot@googleprojectid.iam.gserviceaccount.com + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cnrm-controller-manager-packagename + namespace: cnrm-system + annotations: + config.kubernetes.io/local-config: generated + ownerReferences: + - apiVersion: core.cnrm.cloud.google.com/v1beta1 + kind: ConfigConnectorContext + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: packagename + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: packagename-cc-robot + namespace: config-control + annotations: + cnrm.cloud.google.com/project-id: googleprojectid +spec: + displayName: ConfigConnector ServiceAccount + resourceID: cc-robot + +--- + +apiVersion: porch.kpt.dev/v1alpha1 +kind: WorkloadIdentityBinding +metadata: + name: packagename-cnrm-controller-manager + namespace: config-control +spec: + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount + name: packagename-cc-robot + serviceAccountRef: + name: cnrm-controller-manager-packagename + namespace: cnrm-system + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: packagename-cc-robot + namespace: config-control +spec: + memberFrom: + serviceAccountRef: + name: packagename-cc-robot + role: roles/owner + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: packagename +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "packagename-cnrm:cnrm-viewer" + namespace: config-control +subjects: +- kind: ServiceAccount + namespace: cnrm-system + name: cnrm-controller-manager-packagename +roleRef: + kind: ClusterRole + name: cnrm-viewer + apiGroup: rbac.authorization.k8s.io diff --git a/infra/environment/project.yaml b/infra/environment/project.yaml new file mode 100644 index 0000000..18ac42d --- /dev/null +++ b/infra/environment/project.yaml @@ -0,0 +1,58 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Folder +metadata: + name: packagename + namespace: config-control +spec: + displayName: packagename + folderRef: + name: environments + namepace: environments-ns + +--- + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Project +metadata: + name: packagename + namespace: config-control +spec: + name: packagename + folderRef: + name: environments + billingAccountRef: + #name: default + # TODO: Is there a BillingAccount ref? + external: 016C6E-5D5038-702920 + resourceID: googleprojectid + + +--- + +# We need to enable some services so we can enable other services + +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: packagename-serviceusage + namespace: config-control +spec: + resourceID: serviceusage.googleapis.com + projectRef: + name: packagename diff --git a/infra/environment/rbac.yaml b/infra/environment/rbac.yaml new file mode 100644 index 0000000..6ad0091 --- /dev/null +++ b/infra/environment/rbac.yaml @@ -0,0 +1,32 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPartialPolicy +metadata: + name: packagename-editors + namespace: config-control +spec: + # TODO: Replace with group? + bindings: + - members: + - member: user:justinsb@google.com + role: roles/editor + - members: + - member: user:justinsb@google.com + role: roles/container.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: packagename diff --git a/infra/environment/services.yaml b/infra/environment/services.yaml new file mode 100644 index 0000000..7269423 --- /dev/null +++ b/infra/environment/services.yaml @@ -0,0 +1,32 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: container.googleapis.com + namespace: packagename + +--- + +# Needed to grant GCP IAM permissions on projects +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: cloudresourcemanager.googleapis.com + namespace: packagename diff --git a/infra/gkecluster/Kptfile b/infra/gkecluster/Kptfile new file mode 100644 index 0000000..42af3b5 --- /dev/null +++ b/infra/gkecluster/Kptfile @@ -0,0 +1,13 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: gkecluster + annotations: + config.kubernetes.io/local-config: "true" +info: + description: sample description +pipeline: + mutators: + - image: gcr.io/justinsb-root-20220725/set-name-prefix + - image: gcr.io/justinsb-root-20220725/generator-configconnectorcontext + - image: gcr.io/justinsb-root-20220725/bind-gcp-resources diff --git a/infra/gkecluster/README.md b/infra/gkecluster/README.md new file mode 100644 index 0000000..29632e6 --- /dev/null +++ b/infra/gkecluster/README.md @@ -0,0 +1 @@ +# gkecluster diff --git a/infra/gkecluster/bindings.yaml b/infra/gkecluster/bindings.yaml new file mode 100644 index 0000000..12e2ba2 --- /dev/null +++ b/infra/gkecluster/bindings.yaml @@ -0,0 +1,30 @@ +# # Copyright 2022 Google LLC +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: binding + annotations: + config.kubernetes.io/local-config: "binding" + +--- + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Project +metadata: + name: binding + namespace: config-control + annotations: + config.kubernetes.io/local-config: "binding" diff --git a/infra/gkecluster/cluster.yaml b/infra/gkecluster/cluster.yaml new file mode 100644 index 0000000..9a37844 --- /dev/null +++ b/infra/gkecluster/cluster.yaml @@ -0,0 +1,49 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerCluster +metadata: + name: packagename + namespace: binding + annotations: + cnrm.cloud.google.com/remove-default-node-pool: "true" + cnrm.cloud.google.com/state-into-spec: absent +spec: + #description: cluster + location: us-central1 + enableAutopilot: false + initialNodeCount: 1 + releaseChannel: + channel: REGULAR +--- +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerNodePool +metadata: + name: packagename-default + namespace: binding +spec: + location: us-central1 + autoscaling: + minNodeCount: 1 + maxNodeCount: 3 + nodeConfig: + serviceAccountRef: + name: packagename-gke + management: + autoRepair: true + autoUpgrade: true + clusterRef: + name: packagename + resourceID: default diff --git a/infra/gkecluster/serviceaccount.yaml b/infra/gkecluster/serviceaccount.yaml new file mode 100644 index 0000000..f5a7bd2 --- /dev/null +++ b/infra/gkecluster/serviceaccount.yaml @@ -0,0 +1,39 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: packagename-gke + namespace: binding +spec: + displayName: ServiceAccount for GKE cluster nodes + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: packagename-gke-owner + namespace: binding +spec: + memberFrom: + serviceAccountRef: + name: packagename-gke + role: roles/owner + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: binding + namespace: config-control From 22645fa9b97b9c1a37cc41df3719653801774411 Mon Sep 17 00:00:00 2001 From: Yuwen Ma Date: Mon, 29 Aug 2022 16:27:07 -0700 Subject: [PATCH 2/2] Add porch installation and Config sync installation from porch --- infra/environment/project.yaml | 1 - .../from-configsync/remoteRootSyncSet.yaml | 15 + infra/porch/from-configsync/rootSyncSet.yaml | 19 + infra/porch/from-yaml/crds/Kptfile | 18 + ...nfig.porch.kpt.dev_remoterootsyncsets.yaml | 209 ++++++++ .../config.porch.kpt.dev_rootsyncsets.yaml | 147 ++++++ ...orch.kpt.dev_workloadidentitybindings.yaml | 121 +++++ .../orchestrator/0-remoterootsyncsets.yaml | 208 ++++++++ .../orchestrator/0-repositories.yaml | 272 ++++++++++ .../orchestrator/0-rootsyncsets.yaml | 146 ++++++ .../0-workloadidentitybindings.yaml | 120 +++++ .../from-yaml/orchestrator/1-namespace.yaml | 22 + .../orchestrator/2-function-runner.yaml | 107 ++++ .../orchestrator/3-porch-server.yaml | 74 +++ .../from-yaml/orchestrator/4-apiservice.yaml | 26 + .../porch/from-yaml/orchestrator/5-rbac.yaml | 97 ++++ .../from-yaml/orchestrator/6-rbac-bind.yaml | 53 ++ .../from-yaml/orchestrator/7-auth-reader.yaml | 26 + .../orchestrator/8-auth-delegator.yaml | 25 + .../from-yaml/orchestrator/9-controllers.yaml | 219 +++++++++ infra/porch/from-yaml/orchestrator/Kptfile | 6 + .../config-management-operator.yaml | 463 ++++++++++++++++++ infra/porch/from-yaml/rbac/Kptfile | 18 + infra/porch/from-yaml/rbac/role.yaml | 105 ++++ .../from-yaml/ui/1-namespace-backstage.yaml | 17 + infra/porch/from-yaml/ui/2-secret.yaml | 10 + infra/porch/from-yaml/ui/3-deployment.yaml | 47 ++ 27 files changed, 2590 insertions(+), 1 deletion(-) create mode 100644 infra/porch/from-configsync/remoteRootSyncSet.yaml create mode 100644 infra/porch/from-configsync/rootSyncSet.yaml create mode 100644 infra/porch/from-yaml/crds/Kptfile create mode 100644 infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml create mode 100644 infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml create mode 100644 infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml create mode 100644 infra/porch/from-yaml/orchestrator/0-remoterootsyncsets.yaml create mode 100644 infra/porch/from-yaml/orchestrator/0-repositories.yaml create mode 100644 infra/porch/from-yaml/orchestrator/0-rootsyncsets.yaml create mode 100644 infra/porch/from-yaml/orchestrator/0-workloadidentitybindings.yaml create mode 100644 infra/porch/from-yaml/orchestrator/1-namespace.yaml create mode 100644 infra/porch/from-yaml/orchestrator/2-function-runner.yaml create mode 100644 infra/porch/from-yaml/orchestrator/3-porch-server.yaml create mode 100644 infra/porch/from-yaml/orchestrator/4-apiservice.yaml create mode 100644 infra/porch/from-yaml/orchestrator/5-rbac.yaml create mode 100644 infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml create mode 100644 infra/porch/from-yaml/orchestrator/7-auth-reader.yaml create mode 100644 infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml create mode 100644 infra/porch/from-yaml/orchestrator/9-controllers.yaml create mode 100644 infra/porch/from-yaml/orchestrator/Kptfile create mode 100644 infra/porch/from-yaml/orchestrator/config-management-operator.yaml create mode 100644 infra/porch/from-yaml/rbac/Kptfile create mode 100644 infra/porch/from-yaml/rbac/role.yaml create mode 100644 infra/porch/from-yaml/ui/1-namespace-backstage.yaml create mode 100644 infra/porch/from-yaml/ui/2-secret.yaml create mode 100644 infra/porch/from-yaml/ui/3-deployment.yaml diff --git a/infra/environment/project.yaml b/infra/environment/project.yaml index 18ac42d..09f875e 100644 --- a/infra/environment/project.yaml +++ b/infra/environment/project.yaml @@ -21,7 +21,6 @@ spec: displayName: packagename folderRef: name: environments - namepace: environments-ns --- diff --git a/infra/porch/from-configsync/remoteRootSyncSet.yaml b/infra/porch/from-configsync/remoteRootSyncSet.yaml new file mode 100644 index 0000000..26ddd4c --- /dev/null +++ b/infra/porch/from-configsync/remoteRootSyncSet.yaml @@ -0,0 +1,15 @@ +apiVersion: config.porch.kpt.dev/v1alpha1 +kind: RemoteRootSyncSet +metadata: + name: porch-install + namespace: dev +spec: + clusterRefs: + - apiVersion: container.cnrm.cloud.google.com/v1beta1 + kind: ContainerCluster + name: us-central1 + namespace: dev + template: + sourceFormat: unstructured + oci: + repository: gcr.io/yuwenma-gke-catalyst-goog-rlol/porch:v0.1 diff --git a/infra/porch/from-configsync/rootSyncSet.yaml b/infra/porch/from-configsync/rootSyncSet.yaml new file mode 100644 index 0000000..c76eadf --- /dev/null +++ b/infra/porch/from-configsync/rootSyncSet.yaml @@ -0,0 +1,19 @@ +apiVersion: config.porch.kpt.dev/v1alpha1 +kind: RootSyncSet +metadata: + name: porch-install + namespace: dev +spec: + clusterRefs: + - apiVersion: container.cnrm.cloud.google.com/v1beta1 + kind: ContainerCluster + name: us-central1 + namespace: dev + template: + spec: + sourceFormat: unstructured + git: + auth: none + repo: http://github.com/GoogleContainerTools/kpt-samples.git + branch: dogfood-porch-installation + dir: infra/porch/from-yaml diff --git a/infra/porch/from-yaml/crds/Kptfile b/infra/porch/from-yaml/crds/Kptfile new file mode 100644 index 0000000..078d4ed --- /dev/null +++ b/infra/porch/from-yaml/crds/Kptfile @@ -0,0 +1,18 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: crds +upstream: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/crd/bases + ref: porch/v0.0.9 + updateStrategy: resource-merge +upstreamLock: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/crd/bases + ref: porch/v0.0.9 + commit: 1c7ebea5b4c9f41321ed28126f8b2b8ff71aba71 diff --git a/infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml b/infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml new file mode 100644 index 0000000..c76ace4 --- /dev/null +++ b/infra/porch/from-yaml/crds/config.porch.kpt.dev_remoterootsyncsets.yaml @@ -0,0 +1,209 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /remoterootsyncsets.config.porch.kpt.dev + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + internal.kpt.dev/upstream-identifier: 'apiextensions.k8s.io|CustomResourceDefinition|default|remoterootsyncsets.config.porch.kpt.dev' + creationTimestamp: null + name: remoterootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RemoteRootSyncSet + listKind: RemoteRootSyncSetList + plural: remoterootsyncsets + singular: remoterootsyncset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.aggregated.applied + name: AppliedCount + type: integer + - jsonPath: .status.aggregated.ready + name: ReadyCount + type: integer + - jsonPath: .status.aggregated.total + name: Total + type: integer + - jsonPath: .status.aggregated.conditions[?(@.type=='Applied')].reason + name: Applied + type: string + - jsonPath: .status.aggregated.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: "RemoteRootSyncSet represents applying a package to multiple target clusters. In future, this should use ConfigSync, but while we're iterating on OCI/porch support, and making a few similar iterations (e.g. what feedback do we need for rollout), we're just applying directly to the target cluster(s). \n We follow the \"managed remote objects\" pattern; we don't want to create a mirror object, so we start with the \"ReplicaSet\" of Pod/ReplicaSet/Deployment. \n spec.clusterRefs specifies the target clusters \n spec.template maps to the spec of our \"Pod\", in this case a ConfigSync RootSync/RepoSync. Because we're not actually using ConfigSync in this prototype, we are only defining a small subset of fields." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RemoteRootSyncSetSpec defines the desired state of RemoteRootSync + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: array + template: + properties: + oci: + description: Git *GitInfo `json:"git,omitempty"` + properties: + repository: + type: string + type: object + sourceFormat: + type: string + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + aggregated: + properties: + applied: + format: int32 + type: integer + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + format: int32 + type: integer + total: + format: int32 + type: integer + required: + - applied + - ready + - total + type: object + targets: + items: + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ref: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml b/infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml new file mode 100644 index 0000000..17e2604 --- /dev/null +++ b/infra/porch/from-yaml/crds/config.porch.kpt.dev_rootsyncsets.yaml @@ -0,0 +1,147 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /rootsyncsets.config.porch.kpt.dev + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + internal.kpt.dev/upstream-identifier: 'apiextensions.k8s.io|CustomResourceDefinition|default|rootsyncsets.config.porch.kpt.dev' + creationTimestamp: null + name: rootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RootSyncSet + listKind: RootSyncSetList + plural: rootsyncsets + singular: rootsyncset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RootSyncSet is the Schema for the rootsyncsets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RootSyncSetSpec defines the desired state of RootSyncSet + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - namespace + type: object + type: array + template: + properties: + spec: + properties: + git: + properties: + auth: + type: string + branch: + type: string + dir: + type: string + gcpServiceAccountEmail: + type: string + noSSLVerify: + type: boolean + period: + type: string + proxy: + type: string + repo: + type: string + revision: + type: string + secretRef: + description: SecretReference contains the reference to the secret used to connect to Git source of truth. + properties: + name: + description: Name represents the secret name. + type: string + type: object + required: + - auth + - repo + type: object + sourceFormat: + type: string + type: object + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml b/infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml new file mode 100644 index 0000000..9267489 --- /dev/null +++ b/infra/porch/from-yaml/crds/config.porch.kpt.dev_workloadidentitybindings.yaml @@ -0,0 +1,121 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: # kpt-merge: /workloadidentitybindings.config.porch.kpt.dev + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + internal.kpt.dev/upstream-identifier: 'apiextensions.k8s.io|CustomResourceDefinition|default|workloadidentitybindings.config.porch.kpt.dev' + creationTimestamp: null + name: workloadidentitybindings.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: WorkloadIdentityBinding + listKind: WorkloadIdentityBindingList + plural: workloadidentitybindings + singular: workloadidentitybinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WorkloadIdentityBinding + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkloadIdentityBindingSpec defines the desired state of RemoteRootSync + properties: + resourceRef: + properties: + apiVersion: + type: string + external: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + serviceAccountRef: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + status: + description: WorkloadIdentityBindingStatus defines the observed state of WorkloadIdentityBinding + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/orchestrator/0-remoterootsyncsets.yaml b/infra/porch/from-yaml/orchestrator/0-remoterootsyncsets.yaml new file mode 100644 index 0000000..ef77a09 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/0-remoterootsyncsets.yaml @@ -0,0 +1,208 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: remoterootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RemoteRootSyncSet + listKind: RemoteRootSyncSetList + plural: remoterootsyncsets + singular: remoterootsyncset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.aggregated.applied + name: AppliedCount + type: integer + - jsonPath: .status.aggregated.ready + name: ReadyCount + type: integer + - jsonPath: .status.aggregated.total + name: Total + type: integer + - jsonPath: .status.aggregated.conditions[?(@.type=='Applied')].reason + name: Applied + type: string + - jsonPath: .status.aggregated.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: "RemoteRootSyncSet represents applying a package to multiple target clusters. In future, this should use ConfigSync, but while we're iterating on OCI/porch support, and making a few similar iterations (e.g. what feedback do we need for rollout), we're just applying directly to the target cluster(s). \n We follow the \"managed remote objects\" pattern; we don't want to create a mirror object, so we start with the \"ReplicaSet\" of Pod/ReplicaSet/Deployment. \n spec.clusterRefs specifies the target clusters \n spec.template maps to the spec of our \"Pod\", in this case a ConfigSync RootSync/RepoSync. Because we're not actually using ConfigSync in this prototype, we are only defining a small subset of fields." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RemoteRootSyncSetSpec defines the desired state of RemoteRootSync + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: array + template: + properties: + oci: + description: Git *GitInfo `json:"git,omitempty"` + properties: + repository: + type: string + type: object + sourceFormat: + type: string + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + aggregated: + properties: + applied: + format: int32 + type: integer + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + format: int32 + type: integer + total: + format: int32 + type: integer + required: + - applied + - ready + - total + type: object + targets: + items: + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ref: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/orchestrator/0-repositories.yaml b/infra/porch/from-yaml/orchestrator/0-repositories.yaml new file mode 100644 index 0000000..c6ee5fd --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/0-repositories.yaml @@ -0,0 +1,272 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: repositories.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: Repository + listKind: RepositoryList + plural: repositories + singular: repository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.type + name: Type + type: string + - jsonPath: .spec.content + name: Content + type: string + - jsonPath: .spec.deployment + name: Deployment + type: boolean + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - jsonPath: .spec['git','oci']['repo','registry'] + name: Address + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Repository + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "RepositorySpec defines the desired state of Repository \n Notes: - deployment repository - in KRM API ConfigSync would be configured directly? (or via this API)" + properties: + content: + description: 'Content stored in the repository (i.e. Function, Package - the literal values correspond to the API resource names). TODO: support repository with mixed content?' + type: string + deployment: + description: The repository is a deployment repository; final packages in this repository are deployment ready. + type: boolean + description: + description: User-friendly description of the repository + type: string + git: + description: Git repository details. Required if `type` is `git`. Ignored if `type` is not `git`. + properties: + branch: + description: Name of the branch containing the packages. Finalized packages will be committed to this branch (if the repository allows write access). If unspecified, defaults to "main". + type: string + createBranch: + description: CreateBranch specifies if Porch should create the package branch if it doesn't exist. + type: boolean + directory: + description: Directory within the Git repository where the packages are stored. A subdirectory of this directory containing a Kptfile is considered a package. If unspecified, defaults to root directory. + type: string + repo: + description: 'Address of the Git repository, for example: `https://github.com/GoogleCloudPlatform/blueprints.git`' + type: string + secretRef: + description: Reference to secret containing authentication credentials. + properties: + name: + description: Name of the secret. The secret is expected to be located in the same namespace as the resource containing the reference. + type: string + required: + - name + type: object + required: + - repo + type: object + mutators: + description: '`Mutators` specifies list of functions to be added to the list of package''s mutators on changes to the packages in the repository to ensure the packages meet constraints enforced by the mutators associated with the repository. Based on the Kubernetest Admission Controllers (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). The functions will be evaluated in the order specified in the list.' + items: + properties: + configMap: + additionalProperties: + type: string + description: '`ConfigMap` specifies the function config (https://kpt.dev/reference/cli/fn/eval/).' + type: object + functionRef: + description: '`FunctionRef` specifies the function by reference to a Function resource. Mutually exclusive with `Image`.' + properties: + name: + description: '`Name` is the name of the `Function` resource referenced. The resource is expected to be within the same namespace.' + type: string + required: + - name + type: object + image: + description: '`Image` specifies the function image, such as `gcr.io/kpt-fn/gatekeeper:v0.2`. Use of `Image` is mutually exclusive with `FunctionRef`.' + type: string + type: object + type: array + oci: + description: OCI repository details. Required if `type` is `oci`. Ignored if `type` is not `oci`. + properties: + registry: + description: Registry is the address of the OCI registry + type: string + secretRef: + description: Reference to secret containing authentication credentials. + properties: + name: + description: Name of the secret. The secret is expected to be located in the same namespace as the resource containing the reference. + type: string + required: + - name + type: object + required: + - registry + type: object + type: + description: Type of the repository (i.e. git, OCI) + type: string + upstream: + description: Upstream is the default upstream repository for packages in this repository. Specifying it per repository allows simpler UX when creating packages. + properties: + git: + description: Git repository details. Required if `type` is `git`. Must be unspecified if `type` is not `git`. + properties: + branch: + description: Name of the branch containing the packages. Finalized packages will be committed to this branch (if the repository allows write access). If unspecified, defaults to "main". + type: string + createBranch: + description: CreateBranch specifies if Porch should create the package branch if it doesn't exist. + type: boolean + directory: + description: Directory within the Git repository where the packages are stored. A subdirectory of this directory containing a Kptfile is considered a package. If unspecified, defaults to root directory. + type: string + repo: + description: 'Address of the Git repository, for example: `https://github.com/GoogleCloudPlatform/blueprints.git`' + type: string + secretRef: + description: Reference to secret containing authentication credentials. + properties: + name: + description: Name of the secret. The secret is expected to be located in the same namespace as the resource containing the reference. + type: string + required: + - name + type: object + required: + - repo + type: object + oci: + description: OCI repository details. Required if `type` is `oci`. Must be unspecified if `type` is not `oci`. + properties: + registry: + description: Registry is the address of the OCI registry + type: string + secretRef: + description: Reference to secret containing authentication credentials. + properties: + name: + description: Name of the secret. The secret is expected to be located in the same namespace as the resource containing the reference. + type: string + required: + - name + type: object + required: + - registry + type: object + repositoryRef: + description: RepositoryRef contains a reference to an existing Repository resource to be used as the default upstream repository. + properties: + name: + description: Name of the Repository resource referenced. + type: string + required: + - name + type: object + type: + description: Type of the repository (i.e. git, OCI). If empty, repositoryRef will be used. + type: string + type: object + validators: + description: '`Validators` specifies list of functions to be added to the list of package''s validators on changes to the packages in the repository to ensure the packages meet constraints enforced by the validators associated with the repository. Based on the Kubernetest Admission Controllers (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). The functions will be evaluated in the order specified in the list.' + items: + properties: + configMap: + additionalProperties: + type: string + description: '`ConfigMap` specifies the function config (https://kpt.dev/reference/cli/fn/eval/).' + type: object + functionRef: + description: '`FunctionRef` specifies the function by reference to a Function resource. Mutually exclusive with `Image`.' + properties: + name: + description: '`Name` is the name of the `Function` resource referenced. The resource is expected to be within the same namespace.' + type: string + required: + - name + type: object + image: + description: '`Image` specifies the function image, such as `gcr.io/kpt-fn/gatekeeper:v0.2`. Use of `Image` is mutually exclusive with `FunctionRef`.' + type: string + type: object + type: array + type: object + status: + description: RepositoryStatus defines the observed state of Repository + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/orchestrator/0-rootsyncsets.yaml b/infra/porch/from-yaml/orchestrator/0-rootsyncsets.yaml new file mode 100644 index 0000000..d8f0019 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/0-rootsyncsets.yaml @@ -0,0 +1,146 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: rootsyncsets.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: RootSyncSet + listKind: RootSyncSetList + plural: rootsyncsets + singular: rootsyncset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RootSyncSet is the Schema for the rootsyncsets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RootSyncSetSpec defines the desired state of RootSyncSet + properties: + clusterRefs: + items: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - namespace + type: object + type: array + template: + properties: + spec: + properties: + git: + properties: + auth: + type: string + branch: + type: string + dir: + type: string + gcpServiceAccountEmail: + type: string + noSSLVerify: + type: boolean + period: + type: string + proxy: + type: string + repo: + type: string + revision: + type: string + secretRef: + description: SecretReference contains the reference to the secret used to connect to Git source of truth. + properties: + name: + description: Name represents the secret name. + type: string + type: object + required: + - auth + - repo + type: object + sourceFormat: + type: string + type: object + type: object + type: object + status: + description: RootSyncSetStatus defines the observed state of RootSyncSet + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/orchestrator/0-workloadidentitybindings.yaml b/infra/porch/from-yaml/orchestrator/0-workloadidentitybindings.yaml new file mode 100644 index 0000000..a52984c --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/0-workloadidentitybindings.yaml @@ -0,0 +1,120 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: workloadidentitybindings.config.porch.kpt.dev +spec: + group: config.porch.kpt.dev + names: + kind: WorkloadIdentityBinding + listKind: WorkloadIdentityBindingList + plural: workloadidentitybindings + singular: workloadidentitybinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].reason + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WorkloadIdentityBinding + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkloadIdentityBindingSpec defines the desired state of RemoteRootSync + properties: + resourceRef: + properties: + apiVersion: + type: string + external: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + serviceAccountRef: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + type: object + type: object + status: + description: WorkloadIdentityBindingStatus defines the observed state of WorkloadIdentityBinding + properties: + conditions: + description: Conditions describes the reconciliation state of the object. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/infra/porch/from-yaml/orchestrator/1-namespace.yaml b/infra/porch/from-yaml/orchestrator/1-namespace.yaml new file mode 100644 index 0000000..11f2a39 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/1-namespace.yaml @@ -0,0 +1,22 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Namespace +metadata: + name: porch-system +--- +apiVersion: v1 +kind: Namespace +metadata: + name: porch-fn-system diff --git a/infra/porch/from-yaml/orchestrator/2-function-runner.yaml b/infra/porch/from-yaml/orchestrator/2-function-runner.yaml new file mode 100644 index 0000000..a613479 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/2-function-runner.yaml @@ -0,0 +1,107 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +kind: ServiceAccount +apiVersion: v1 +metadata: + name: porch-fn-runner + namespace: porch-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: function-runner + namespace: porch-system +spec: + replicas: 2 + selector: + matchLabels: + app: function-runner + template: + metadata: + labels: + app: function-runner + spec: + serviceAccountName: porch-fn-runner + containers: + - name: function-runner + image: gcr.io/kpt-dev/porch-function-runner:v0.0.9 + imagePullPolicy: IfNotPresent + command: + - /server + - --config=/config.yaml + - --functions=/functions + - --pod-namespace=porch-fn-system + env: + - name: WRAPPER_SERVER_IMAGE + value: gcr.io/kpt-dev/porch-wrapper-server:v0.0.9 + ports: + - containerPort: 9445 + # Add grpc readiness probe to ensure the cache is ready + readinessProbe: + exec: + command: + - /grpc-health-probe + - -addr + - localhost:9445 + resources: + requests: + memory: 64Mi + cpu: 125m + volumeMounts: + - mountPath: /pod-cache-config + name: pod-cache-config-volume + volumes: + - name: pod-cache-config-volume + configMap: + name: pod-cache-config +--- +apiVersion: v1 +kind: Service +metadata: + name: function-runner + namespace: porch-system +spec: + selector: + app: function-runner + ports: + - port: 9445 + protocol: TCP + targetPort: 9445 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pod-cache-config + namespace: porch-system +data: + pod-cache-config.yaml: | + gcr.io/kpt-fn/apply-replacements:v0.1.1: 30m + gcr.io/kpt-fn/apply-setters:v0.2.0: 30m + gcr.io/kpt-fn/create-setters:v0.1.0: 30m + gcr.io/kpt-fn/ensure-name-substring:v0.2.0: 30m + gcr.io/kpt-fn/gatekeeper:v0.2.1: 30m + gcr.io/kpt-fn/kubeval:v0.2.0: 30m + gcr.io/kpt-fn/search-replace:v0.2.0: 30m + gcr.io/kpt-fn/set-annotations:v0.1.4: 30m + gcr.io/kpt-fn/set-enforcement-action:v0.1.0: 30m + gcr.io/kpt-fn/set-image:v0.1.1: 30m + gcr.io/kpt-fn/set-labels:v0.1.5: 30m + gcr.io/kpt-fn/set-namespace:v0.4.1: 30m + gcr.io/kpt-fn/starlark:v0.4.3: 30m + gcr.io/kpt-fn/upsert-resource:v0.2.0: 30m + gcr.io/kpt-fn/enable-gcp-services:v0.1.0: 30m + gcr.io/kpt-fn/export-terraform:v0.1.0: 30m + gcr.io/kpt-fn/generate-folders:v0.1.1: 30m + gcr.io/kpt-fn/remove-local-config-resources:v0.1.0: 30m + gcr.io/kpt-fn/set-project-id:v0.2.0: 30m diff --git a/infra/porch/from-yaml/orchestrator/3-porch-server.yaml b/infra/porch/from-yaml/orchestrator/3-porch-server.yaml new file mode 100644 index 0000000..b51d473 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/3-porch-server.yaml @@ -0,0 +1,74 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +kind: ServiceAccount +apiVersion: v1 +metadata: + name: porch-server + namespace: porch-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: porch-server + namespace: porch-system +spec: + replicas: 1 + selector: + matchLabels: + app: porch-server + template: + metadata: + labels: + app: porch-server + spec: + serviceAccountName: porch-server + volumes: + - name: cache-volume + emptyDir: {} + containers: + - name: porch-server + # Update image to the image of your porch apiserver build. + image: gcr.io/kpt-dev/porch-server:v0.0.9 + imagePullPolicy: IfNotPresent + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 512Mi + volumeMounts: + - mountPath: /cache + name: cache-volume + env: + # Uncomment to enable trace-reporting to jaeger + #- name: OTEL + # value: otel://jaeger-oltp:4317 + - name: OTEL_SERVICE_NAME + value: porch-server + args: + - --function-runner=function-runner:9445 + - --cache-directory=/cache +--- +apiVersion: v1 +kind: Service +metadata: + name: api + namespace: porch-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 443 + selector: + app: porch-server diff --git a/infra/porch/from-yaml/orchestrator/4-apiservice.yaml b/infra/porch/from-yaml/orchestrator/4-apiservice.yaml new file mode 100644 index 0000000..8064b5a --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/4-apiservice.yaml @@ -0,0 +1,26 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.porch.kpt.dev +spec: + insecureSkipTLSVerify: true + group: porch.kpt.dev + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: api + namespace: porch-system + version: v1alpha1 diff --git a/infra/porch/from-yaml/orchestrator/5-rbac.yaml b/infra/porch/from-yaml/orchestrator/5-rbac.yaml new file mode 100644 index 0000000..41e8229 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/5-rbac.yaml @@ -0,0 +1,97 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregated-apiserver-clusterrole +rules: + - apiGroups: + - "" + resources: + - namespaces + - secrets + verbs: + - get + - watch + - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list + - apiGroups: + - config.porch.kpt.dev + resources: + - repositories + - repositories/status + verbs: + - get + - list + - watch + - create + - update + - patch + # Needed for priority and fairness + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - flowschemas + - prioritylevelconfigurations + verbs: + - get + - watch + - list +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregated-apiserver-role + namespace: porch-system +rules: + # Needed for workload identity + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: porch-function-executor + namespace: porch-fn-system +rules: + # Needed to launch / read function executor pods + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - patch + - get + - watch + - list diff --git a/infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml b/infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml new file mode 100644 index 0000000..d405bff --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/6-rbac-bind.yaml @@ -0,0 +1,53 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sample-apiserver-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aggregated-apiserver-clusterrole +subjects: + - kind: ServiceAccount + name: porch-server + namespace: porch-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: sample-apiserver-rolebinding + namespace: porch-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: aggregated-apiserver-role +subjects: + - kind: ServiceAccount + name: porch-server + namespace: porch-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: porch-function-executor + namespace: porch-fn-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: porch-function-executor +subjects: + - kind: ServiceAccount + name: porch-fn-runner + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/7-auth-reader.yaml b/infra/porch/from-yaml/orchestrator/7-auth-reader.yaml new file mode 100644 index 0000000..aab4142 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/7-auth-reader.yaml @@ -0,0 +1,26 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: porch-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: porch-server + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml b/infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml new file mode 100644 index 0000000..3d6cdce --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/8-auth-delegator.yaml @@ -0,0 +1,25 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: porch:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: porch-server + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/9-controllers.yaml b/infra/porch/from-yaml/orchestrator/9-controllers.yaml new file mode 100644 index 0000000..b1c3bf7 --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/9-controllers.yaml @@ -0,0 +1,219 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +kind: ServiceAccount +apiVersion: v1 +metadata: + name: porch-controllers + namespace: porch-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: porch-controllers + namespace: porch-system + labels: + k8s-app: porch-controllers +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: porch-controllers + template: + metadata: + labels: + k8s-app: porch-controllers + spec: + serviceAccountName: porch-controllers + containers: + - name: porch-controllers + # Update to the image of your porch-controllers build. + image: gcr.io/kpt-dev/porch-controllers:v0.0.9 + env: + - name: GCP_PROJECT_ID + value: example-google-project-id + - name: HACK_ENABLE_LOOPBACK + value: "1" +--- +# TODO: Part of this is currently copied from porch/controller/config/rbac/role.yaml +# We should find a better solution. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: porch-controllers +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.porch.kpt.dev + resources: + - repositories + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets/status + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets/status + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings/status + verbs: + - get + - list + - watch + - create + - update + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings/finalizers + verbs: + - update +- apiGroups: + - configcontroller.cnrm.cloud.google.com + resources: + - configcontrollerinstances + verbs: + - get + - list + - watch +- apiGroups: + - container.cnrm.cloud.google.com + resources: + - containerclusters + verbs: + - get + - list + - watch +- apiGroups: + - core.cnrm.cloud.google.com + resources: + - configconnectorcontexts + verbs: + - get + - list + - watch +- apiGroups: + - hub.gke.io + resources: + - memberships + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: porch-system:porch-controllers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: porch-controllers +subjects: +- kind: ServiceAccount + name: porch-controllers + namespace: porch-system diff --git a/infra/porch/from-yaml/orchestrator/Kptfile b/infra/porch/from-yaml/orchestrator/Kptfile new file mode 100644 index 0000000..26f914b --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/Kptfile @@ -0,0 +1,6 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: porch +info: + description: porch diff --git a/infra/porch/from-yaml/orchestrator/config-management-operator.yaml b/infra/porch/from-yaml/orchestrator/config-management-operator.yaml new file mode 100644 index 0000000..876360d --- /dev/null +++ b/infra/porch/from-yaml/orchestrator/config-management-operator.yaml @@ -0,0 +1,463 @@ +# apiVersion: apiextensions.k8s.io/v1 +# kind: CustomResourceDefinition +# metadata: +# annotations: +# controller-gen.kubebuilder.io/version: v0.5.0 +# creationTimestamp: null +# name: configmanagements.configmanagement.gke.io +# spec: +# group: configmanagement.gke.io +# names: +# kind: ConfigManagement +# listKind: ConfigManagementList +# plural: configmanagements +# singular: configmanagement +# scope: Cluster +# versions: +# - name: v1 +# schema: +# openAPIV3Schema: +# description: ConfigManagement is the Schema for the ConfigManagement API. +# properties: +# apiVersion: +# description: 'APIVersion defines the versioned schema of this representation +# of an object. Servers should convert recognized schemas to the latest +# internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +# type: string +# kind: +# description: 'Kind is a string value representing the REST resource this +# object represents. Servers may infer this from the endpoint the client +# submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +# type: string +# metadata: +# properties: +# name: +# pattern: config-management +# type: string +# type: object +# spec: +# description: ConfigManagementSpec defines the desired state of ConfigManagement. +# properties: +# ConfigSyncDisableFSWatcher: +# description: ConfigSyncDisableFSWatcher provides the ability to disable +# the fs-watcher process. This field is intentionally left hidden/undocumented +# since it is only meant to be used by customers who have very large +# repositories. Optional. +# type: boolean +# ConfigSyncLogLevel: +# description: ConfigSyncLogLevel overrides the logging verbosity for +# all ConfigSync pods. This field is intentionally left hidden/undocumented +# since it is really only used to gather extra logs for support cases. +# type: integer +# allowVerticalScale: +# description: 'AllowVerticalScale specifies if the vertical autoscaler +# is enabled. Default: false.' +# type: boolean +# binauthz: +# description: BinAuthz enables Binary Authorization as recognized by +# the "binauthz.configmanagement.gke.io" label set to "true". +# properties: +# enabled: +# description: 'Enable or disable BinAuthz. Default: false.' +# type: boolean +# policyRef: +# description: PolicyRef is a reference to the BinAuthz policy which +# will be evaluated. Required if BinAuthz is enabled. +# properties: +# gkeCluster: +# description: BinAuthz policy associated with this GKE-on-GCP +# cluster. +# properties: +# location: +# description: Location of this cluster +# type: string +# name: +# description: The name of this cluster according to GKE. +# This is not necessarily the same as the hub membership +# name. +# type: string +# project: +# description: The name of the GCP project containing this +# cluster +# type: string +# type: object +# type: object +# type: object +# channel: +# description: 'Channel specifies a channel that can be used to resolve +# a specific addon, eg: stable It will be ignored if Version is specified' +# type: string +# clusterName: +# description: ClusterName, if defined, sets the name for this cluster. If +# unset, the cluster is considered to be unnamed, and cannot use ClusterSelectors. +# type: string +# configConnector: +# description: 'Deprecated: Does nothing. ConfigConnector can no longer +# be enabled/disabled with the ConfigManagement resource; the software +# is available as a standalone: https://cloud.google.com/config-connector' +# properties: +# enabled: +# description: 'Enable or disable the Config Connector. Default: +# false.' +# type: boolean +# type: object +# enableLegacyFields: +# description: EnableLegacyFields instructs the operator to use spec.git +# for generating a RootSync resource in MultiRepo mode. Note that +# this should only be set to true if spec.enableMultiRepo is set to +# true. +# type: boolean +# enableMultiRepo: +# description: EnableMultiRepo instructs the operator to enable Multi +# Repo mode for Config Sync. +# type: boolean +# git: +# description: Git contains configuration specific to importing policies +# from a Git repo. +# properties: +# gcpServiceAccountEmail: +# description: 'GCPServiceAccountEmail specifies the GCP service +# account used to annotate the Config Sync Kubernetes Service +# Account. Note: The field is used when secretType: gcpServiceAccount.' +# type: string +# policyDir: +# description: 'PolicyDir is the absolute path of the directory +# that contains the local policy. Default: the root directory +# of the repo.' +# type: string +# proxy: +# description: Proxy is a struct that contains options for configuring +# access to the Git repo via a proxy. Only has an effect when +# secretType is one of ("cookiefile", "none"). Optional. +# properties: +# httpProxy: +# description: HTTPProxy defines a HTTP_PROXY env variable used +# to access the Git repo. If both HTTPProxy and HTTPSProxy +# are specified, HTTPProxy will be ignored. Optional. +# type: string +# httpsProxy: +# description: HTTPSProxy defines a HTTPS_PROXY env variable +# used to access the Git repo. If both HTTPProxy and HTTPSProxy +# are specified, HTTPProxy will be ignored. Optional. +# type: string +# type: object +# secretType: +# description: SecretType is the type of secret configured for access +# to the Git repo. Must be one of ssh, cookiefile, gcenode, token, +# gcpserviceaccount or none. Required. The validation of this +# is case-sensitive. +# pattern: ^(ssh|cookiefile|gcenode|gcpserviceaccount|token|none)$ +# type: string +# syncBranch: +# description: 'SyncBranch is the branch to sync from. Default: +# "master".' +# type: string +# syncRepo: +# pattern: ^(((https?|git|ssh):\/\/)|git@) +# type: string +# syncRev: +# description: 'SyncRev is the git revision (tag or hash) to check +# out. Default: HEAD.' +# type: string +# syncWait: +# description: 'SyncWaitSeconds is the time duration in seconds +# between consecutive syncs. Default: 15 seconds. Note that SyncWaitSecs +# is not a time.Duration on purpose. This provides a reminder +# to developers that customers specify this value using using +# integers like "3" in their ConfigManagement YAML. However, time.Duration +# is at a nanosecond granularity, and it''s easy to introduce +# a bug where it looks like the code is dealing with seconds but +# its actually nanoseconds (or vice versa).' +# type: integer +# type: object +# hierarchyController: +# description: Hierarchy Controller enables HierarchyController components +# as recognized by the "hierarchycontroller.configmanagement.gke.io" +# label set to "true". +# properties: +# enableHierarchicalResourceQuota: +# description: 'HierarchicalResourceQuota enforces resource quota +# in a hierarchical fashion: a resource quota set for one namespace +# provides constraints that limit aggregate resource consumption +# for that namespace and all its descendants. Disabling this will +# not delete user created hrq CRs, but will delete all the intermediate +# resources created by HRQ (specifically the resource quota singletons), +# which are labeled with hierarchycontroller.configmanagement.gke.io/hrq +# for easier cleanup.' +# type: boolean +# enablePodTreeLabels: +# description: PodTreeLabels copies the tree labels from namespaces +# to pods, allowing any system that uses pod logs (such as Stackdriver +# logging) to inspect the hierarchy. +# type: boolean +# enabled: +# description: 'Enable or disable the Hierarchy Controller. Default: +# false.' +# type: boolean +# type: object +# importer: +# description: Importer allows one to override the existing resource +# requirements for the importer pod +# properties: +# limits: +# additionalProperties: +# anyOf: +# - type: integer +# - type: string +# pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ +# x-kubernetes-int-or-string: true +# description: 'Limits describes the maximum amount of compute resources +# allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' +# type: object +# requests: +# additionalProperties: +# anyOf: +# - type: integer +# - type: string +# pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ +# x-kubernetes-int-or-string: true +# description: 'Requests describes the minimum amount of compute +# resources required. If Requests is omitted for a container, +# it defaults to Limits if that is explicitly specified, otherwise +# to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' +# type: object +# type: object +# patches: +# items: +# type: object +# type: array +# x-kubernetes-preserve-unknown-fields: true +# policyController: +# description: Policy Controller enables PolicyController components +# as recognized by the "gatekeeper.sh/manifest" label set to "true". +# properties: +# auditIntervalSeconds: +# description: AuditIntervalSeconds. The number of seconds between +# audit runs. Defaults to 60 seconds. To disable audit, set this +# to 0. +# format: int64 +# type: integer +# enabled: +# description: 'Enable or disable the Policy Controller. Default: +# false.' +# type: boolean +# exemptableNamespaces: +# description: ExemptableNamespaces. The namespaces in this list +# are able to have the admission.gatekeeper.sh/ignore label set. +# When the label is set, Policy Controller will not be called +# for that namespace or any resources contained in it. `gatekeeper-system` +# is always exempted. +# items: +# type: string +# type: array +# logDeniesEnabled: +# description: 'LogDeniesEnabled. If true, Policy Controller will +# log all denies and dryrun failures. No effect unless policyController +# is enabled. Default: false.' +# type: boolean +# monitoring: +# description: Monitoring specifies the configuration of monitoring. +# properties: +# backends: +# items: +# type: string +# type: array +# type: object +# mutation: +# description: Mutation specifies the configuration of mutation. +# This is a preview feature and may change before becoming generally +# available. +# properties: +# enabled: +# description: 'Enable or disable mutation in policy controller. +# If true, mutation CRDs, webhook and controller will be deployed +# to the cluster. Default: false.' +# type: boolean +# type: object +# referentialRulesEnabled: +# description: 'ReferentialRulesEnabled. If true, Policy Controller +# will allow `data.inventory` references in the contents of ConstraintTemplate +# Rego. No effect unless policyController is enabled. Default: +# false.' +# type: boolean +# templateLibraryInstalled: +# description: 'TemplateLibraryInstalled. If true, a set of default +# ConstraintTemplates will be deployed to the cluster. ConstraintTemplates +# will not be deployed if this is explicitly set to false or if +# policyController is not enabled. Default: true.' +# type: boolean +# type: object +# preventDrift: +# description: 'preventDrift, if set to `true`, enables the Config Sync +# admission webhook to prevent drifts. If set to `false`, disables +# the Config Sync admission webhook and does not prevent drifts. Default: +# false. Config Sync always corrects drifts no matter the value of +# preventDrift.' +# type: boolean +# sourceFormat: +# description: "SourceFormat specifies how the repository is formatted. +# See documentation for specifics of what these options do. \n Must +# be one of hierarchy, unstructured. Optional. Set to hierarchy if +# not specified. \n The validation of this is case-sensitive." +# pattern: ^(hierarchy|unstructured|)$ +# type: string +# syncer: +# description: Syncer allows one to override the existing resource requirements +# for the syncer pod +# properties: +# limits: +# additionalProperties: +# anyOf: +# - type: integer +# - type: string +# pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ +# x-kubernetes-int-or-string: true +# description: 'Limits describes the maximum amount of compute resources +# allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' +# type: object +# requests: +# additionalProperties: +# anyOf: +# - type: integer +# - type: string +# pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ +# x-kubernetes-int-or-string: true +# description: 'Requests describes the minimum amount of compute +# resources required. If Requests is omitted for a container, +# it defaults to Limits if that is explicitly specified, otherwise +# to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' +# type: object +# type: object +# version: +# description: Version specifies the exact addon version to be deployed, +# eg 1.2.3 It should not be specified if Channel is specified +# type: string +# type: object +# status: +# description: ConfigManagementStatus defines the observed state of ConfigManagement. +# properties: +# configManagementVersion: +# description: ConfigManagementVersion is the semantic version number +# of the config management system enforced by the currently running +# config management operator. +# type: string +# errors: +# items: +# type: string +# type: array +# healthy: +# type: boolean +# phase: +# type: string +# required: +# - healthy +# type: object +# required: +# - metadata +# - spec +# type: object +# served: true +# storage: true +# status: +# acceptedNames: +# kind: "" +# plural: "" +# conditions: [] +# storedVersions: [] +# --- +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: config-management-system +# labels: +# configmanagement.gke.io/system: "true" +# --- +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: config-management-monitoring +# labels: +# configmanagement.gke.io/system: "true" +# --- +# # The Nomos system creates RBAC rules, so it requires +# # full cluster-admin access. Thus, the operator needs +# # to be able to grant tha permission to the installed +# # Nomos components. +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRole +# metadata: +# labels: +# k8s-app: config-management-operator +# name: config-management-operator +# rules: +# - apiGroups: ["*"] +# resources: ["*"] +# verbs: ["*"] +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRoleBinding +# metadata: +# labels: +# k8s-app: config-management-operator +# name: config-management-operator +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: ClusterRole +# name: config-management-operator +# subjects: +# - kind: ServiceAccount +# name: config-management-operator +# namespace: config-management-system +# --- +# apiVersion: v1 +# kind: ServiceAccount +# metadata: +# labels: +# k8s-app: config-management-operator +# name: config-management-operator +# namespace: config-management-system +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: config-management-operator +# namespace: config-management-system +# labels: +# k8s-app: config-management-operator +# spec: +# strategy: +# type: Recreate +# # must be null due to 3-way merge, as +# # rollingUpdate added to the resource by default by the APIServer +# rollingUpdate: null +# selector: +# matchLabels: +# k8s-app: config-management-operator +# component: config-management-operator +# template: +# metadata: +# labels: +# k8s-app: config-management-operator +# component: config-management-operator +# spec: +# containers: +# - command: +# - /manager +# - --private-registry= +# name: manager +# image: gcr.io/config-management-release/config-management-operator:20220802182902-op +# resources: +# requests: +# cpu: 100m +# memory: 100Mi +# envFrom: +# - configMapRef: +# name: operator-environment-options +# optional: true +# securityContext: +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# serviceAccount: config-management-operator +# securityContext: +# runAsUser: 1000 +# runAsNonRoot: true diff --git a/infra/porch/from-yaml/rbac/Kptfile b/infra/porch/from-yaml/rbac/Kptfile new file mode 100644 index 0000000..03d8af6 --- /dev/null +++ b/infra/porch/from-yaml/rbac/Kptfile @@ -0,0 +1,18 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: rbac +upstream: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/rbac + ref: porch/v0.0.9 + updateStrategy: resource-merge +upstreamLock: + type: git + git: + repo: git@github.com:GoogleContainerTools/kpt + directory: /porch/controllers/config/rbac + ref: porch/v0.0.9 + commit: 1c7ebea5b4c9f41321ed28126f8b2b8ff71aba71 diff --git a/infra/porch/from-yaml/rbac/role.yaml b/infra/porch/from-yaml/rbac/role.yaml new file mode 100644 index 0000000..e1f3e16 --- /dev/null +++ b/infra/porch/from-yaml/rbac/role.yaml @@ -0,0 +1,105 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: # kpt-merge: /porch-controllers + creationTimestamp: null + name: porch-controllers + annotations: + internal.kpt.dev/upstream-identifier: 'rbac.authorization.k8s.io|ClusterRole|default|porch-controllers' +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - remoterootsyncsets/status + verbs: + - get + - patch + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - rootsyncsets/status + verbs: + - get + - patch + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings/finalizers + verbs: + - update +- apiGroups: + - config.porch.kpt.dev + resources: + - workloadidentitybindings/status + verbs: + - get + - patch + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/infra/porch/from-yaml/ui/1-namespace-backstage.yaml b/infra/porch/from-yaml/ui/1-namespace-backstage.yaml new file mode 100644 index 0000000..3bf9ba2 --- /dev/null +++ b/infra/porch/from-yaml/ui/1-namespace-backstage.yaml @@ -0,0 +1,17 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Namespace +metadata: + name: backstage diff --git a/infra/porch/from-yaml/ui/2-secret.yaml b/infra/porch/from-yaml/ui/2-secret.yaml new file mode 100644 index 0000000..caaf035 --- /dev/null +++ b/infra/porch/from-yaml/ui/2-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cad-google-oauth-client + namespace: backstage +type: Opaque +stringData: + # create a OAUTH 2.0 in pantheon + client-id: TODO + client-secret: TODO diff --git a/infra/porch/from-yaml/ui/3-deployment.yaml b/infra/porch/from-yaml/ui/3-deployment.yaml new file mode 100644 index 0000000..2a13db0 --- /dev/null +++ b/infra/porch/from-yaml/ui/3-deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backstage + namespace: backstage +spec: + replicas: 1 + selector: + matchLabels: + app: backstage + template: + metadata: + labels: + app: backstage + spec: + containers: + - name: backstage + image: gcr.io/kpt-dev/kpt-backstage-plugins/backstage-plugin-cad:v0.1.1 + ports: + - name: http + containerPort: 7007 + env: + - name: AUTH_GOOGLE_CLIENT_ID + valueFrom: + secretKeyRef: + name: cad-google-oauth-client + key: client-id + optional: false + - name: AUTH_GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: cad-google-oauth-client + key: client-secret + optional: false +--- +apiVersion: v1 +kind: Service +metadata: + name: backstage + namespace: backstage +spec: + selector: + app: backstage + ports: + - name: http + port: 7007 + targetPort: http