Bump capi-k8s-release and kpack

- Bumps to kpack 0.1.2 which has multiple breaking changes from the
previous version we used
- Bumps to a branch of capi-k8s-release which supports the breaking
changes kpack introduced
   - We (CAPI) will merge this into our primary branch after this change
   has been merged into cf-for-k8s
   - This also encapsulates additional changes which happened in the
   interim for:
      - cloudfoundry/capi-k8s-release#44
      - cloudfoundry/capi-k8s-release#65

Co-authored-by: Sannidhi Jalukar <sjalukar@pivotal.io>

config/capi/_ytt_lib/capi-k8s-release/templates/api_server_deployment.yml

@@ -21,7 +21,6 @@ spec:
       annotations:
         prometheus.io/scrape: 'true'
         prometheus.io/port: '9102'
-        traffic.sidecar.istio.io/excludeInboundPorts: "9102"
       labels:
         app.kubernetes.io/name: cf-api-server
     spec:
@@ -39,16 +38,17 @@ spec:
           imagePullPolicy: Always
           resources:
             requests:
+              cpu: 500m
               memory: 300Mi
             limits:
+              cpu: 1000m
               memory: 1.2Gi
           volumeMounts:
           - #@ template.replace(shared_config_volume_mounts())
           - name: server-sock
             mountPath: /data/cloud_controller_ng
-          #@ if/end data.values.uaa.serverCerts.secretName:
-          - name: uaa-certs
-            mountPath: /config/uaa/certs
+          - name: nginx-uploads
+            mountPath: /tmp/uploads
           #@ if/end data.values.eirini.serverCerts.secretName:
           - name: eirini-certs
             mountPath: /config/eirini/certs
@@ -67,16 +67,42 @@ spec:
             value: #@ ccng_secrets_mount_path
           resources:
             requests:
+              cpu: 100m
               memory: 300Mi
             limits:
+              cpu: 500m
               memory: 1.2Gi
           volumeMounts:
           - #@ template.replace(shared_config_volume_mounts())
           - name: nginx-uploads
             mountPath: /tmp/uploads
+          - name: tmp-packages
+            mountPath: /tmp/packages
           #@ if/end data.values.ccdb.ca_cert:
           - name: database-ca-cert
             mountPath: /config/database/certs
+        - name: package-image-uploader
+          image: #@ data.values.images.package_image_uploader
+          imagePullPolicy: Always
+          securityContext:
+            runAsUser: 0
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+          volumeMounts:
+          - name: tmp-packages
+            mountPath: /tmp/packages
+          env:
+          - name: REGISTRY_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: cc-package-registry-upload-secret
+                key: username
+          - name: REGISTRY_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: cc-package-registry-upload-secret
+                key: password
         - name: nginx
           image: #@ data.values.images.nginx
           imagePullPolicy: Always
@@ -86,6 +112,13 @@ spec:
             httpGet:
               port: 80
               path: "/healthz"
+          resources:
+            requests:
+              cpu: 100m
+              memory: 300Mi
+            limits:
+              cpu: 500m
+              memory: 1Gi
           volumeMounts:
           - name: nginx
             mountPath: /etc/nginx
@@ -101,6 +134,13 @@ spec:
           - containerPort: 9102
           image: #@ data.values.images.statsd_exporter
           imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 100m
+              memory: 300Mi
+            limits:
+              cpu: 500m
+              memory: 1Gi
       serviceAccountName: cf-api-server-service-account
       volumes:
       - #@ template.replace(shared_config_volumes())
@@ -111,10 +151,6 @@ spec:
           name: nginx
       - name: nginx-logs
         emptyDir: {}
-      #@ if/end data.values.uaa.serverCerts.secretName:
-      - name: uaa-certs
-        secret:
-          secretName: #@ data.values.uaa.serverCerts.secretName
       #@ if/end data.values.eirini.serverCerts.secretName:
       - name: eirini-certs
         secret:
@@ -125,4 +161,6 @@ spec:
           secretName: database-ca-cert
       - name: nginx-uploads
         emptyDir: {}
+      - name: tmp-packages
+        emptyDir: {}
 

config/capi/_ytt_lib/capi-k8s-release/templates/cc-kpack-registry-service-account.yml

@@ -14,7 +14,19 @@ metadata:
   name: cc-kpack-registry-auth-secret
   namespace: #@ data.values.staging_namespace
   annotations:
-    build.pivotal.io/docker: #@ data.values.kpack.registry.hostname
+    kpack.io/docker: #@ data.values.kpack.registry.hostname
+type: kubernetes.io/basic-auth
+stringData:
+  username: #@ data.values.kpack.registry.username
+  password: #@ data.values.kpack.registry.password
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cc-package-registry-upload-secret
+  namespace: #@ data.values.system_namespace
+  annotations:
+    kpack.io/docker: #@ data.values.kpack.registry.hostname
 type: kubernetes.io/basic-auth
 stringData:
   username: #@ data.values.kpack.registry.username

config/capi/_ytt_lib/capi-k8s-release/templates/ccng-config.lib.yml

@@ -15,6 +15,7 @@ fluent:
   port: 24224
 
 internal_service_hostname: #@ "capi.{}.svc.cluster.local".format(data.values.system_namespace)
+internal_service_port: 80
 
 pid_filename: /cloud_controller_ng/cloud_controller_ng.pid
 newrelic_enabled: false
@@ -129,7 +130,6 @@ uaa:
   internal_url: #@ "http://uaa.{}.svc.cluster.local:8080".format(data.values.system_namespace)
   resource_id: cloud_controller,cloud_controller_service_permissions
   client_timeout: 60
-  ca_file: /config/uaa/certs/uaa.crt
 
 routing_api:
   url: #@ "https://api.{}/routing".format(data.values.system_domain)
@@ -192,13 +192,14 @@ packages:
     path_style: true
   max_valid_packages_stored: 5
   max_package_size: 1073741824
-
-  cdn:
-    uri:
-    key_pair_id:
-    private_key: ""
-
   fog_aws_storage_options: {}
+  image_registry: {
+    base_path: #@ data.values.kpack.registry.repository_prefix
+  }
+
+package_image_uploader:
+  host: 127.0.0.1
+  port: 8080
 
 droplets:
   droplet_directory_key: #@ data.values.blobstore.droplet_directory_key
@@ -266,7 +267,7 @@ cc_service_key_client_secret: TODO
 allow_app_ssh_access: true
 default_app_ssh_access: true
 
-skip_cert_verify: true
+skip_cert_verify: false
 
 install_buildpacks: []
 

config/capi/_ytt_lib/capi-k8s-release/templates/cf-api-controllers-service-account.yml

@@ -54,7 +54,7 @@ metadata:
   name: "cf:kpack-builds-informer"
 rules:
   - apiGroups:
-      - build.pivotal.io
+      - kpack.io
     resources:
       - builds
     verbs:

config/capi/_ytt_lib/capi-k8s-release/templates/cf-api-server-service-account.yml

@@ -37,15 +37,15 @@ roleRef:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cf-api-server-service-account-kpack-custombuilder-admin
+  name: cf-api-server-service-account-kpack-builder-admin
   namespace: #@ data.values.staging_namespace
 subjects:
   - kind: ServiceAccount
     name: cf-api-server-service-account
     namespace: #@ data.values.system_namespace
 roleRef:
   kind: ClusterRole
-  name: "cf:kpack-custombuilder-admin"
+  name: "cf:kpack-builder-admin"
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -69,7 +69,7 @@ metadata:
   name: "cf:kpack-builds-admin"
 rules:
   - apiGroups:
-      - build.pivotal.io
+      - kpack.io
     resources:
       - images
     verbs:
@@ -81,13 +81,13 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: "cf:kpack-custombuilder-admin"
+  name: "cf:kpack-builder-admin"
 rules:
   - apiGroups:
-      - experimental.kpack.pivotal.io
+      - kpack.io
     resources:
-      - custombuilders
-      - custombuilders/status
+      - builders
+      - builders/status
     verbs:
       - get
       - create

config/capi/_ytt_lib/capi-k8s-release/templates/cf-api-worker-service-account.yml

@@ -37,13 +37,13 @@ roleRef:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cf-api-worker-service-account-kpack-custombuilder-admin
+  name: cf-api-worker-service-account-kpack-builder-admin
   namespace: #@ data.values.staging_namespace
 subjects:
   - kind: ServiceAccount
     name: cf-api-worker-service-account
     namespace: #@ data.values.system_namespace
 roleRef:
   kind: ClusterRole
-  name: "cf:kpack-custombuilder-admin"
+  name: "cf:kpack-builder-admin"
   apiGroup: rbac.authorization.k8s.io

config/capi/_ytt_lib/capi-k8s-release/templates/clock_deployment.yml

@@ -37,8 +37,10 @@ spec:
             value: #@ ccng_secrets_mount_path
           resources:
             requests:
+              cpu: 300m
               memory: 300Mi
             limits:
+              cpu: 1000m
               memory: 1Gi
           readinessProbe:
             tcpSocket:

config/capi/_ytt_lib/capi-k8s-release/templates/controllers_deployment.yml

@@ -60,7 +60,7 @@ kind: ClusterRole
 metadata:
   name: cf-api-controllers
 rules:
-- apiGroups: ["build.pivotal.io"]
+- apiGroups: ["kpack.io"]
   resources: ["images", "builds", "builds/status", "images/status"]
   verbs: ["get", "watch", "list"]
 ---

config/capi/_ytt_lib/capi-k8s-release/templates/deployment_updater_deployment.yml

@@ -37,8 +37,10 @@ spec:
             value: #@ ccng_secrets_mount_path
           resources:
             requests:
+              cpu: 300m
               memory: 300Mi
             limits:
+              cpu: 1000m
               memory: 1Gi
           readinessProbe:
             tcpSocket:

config/capi/_ytt_lib/capi-k8s-release/templates/worker_deployment.yml

@@ -33,8 +33,10 @@ spec:
             value: #@ ccng_secrets_mount_path
           resources:
             requests:
+              cpu: 300m
               memory: 300Mi
             limits:
+              cpu: 1000m
               memory: 1Gi
           readinessProbe:
             tcpSocket:

config/capi/_ytt_lib/capi-k8s-release/values/_default.yml

@@ -119,5 +119,3 @@ images:
   nginx:
   statsd_exporter:
   package_image_uploader:
-kbld:
-  destination:

config/capi/_ytt_lib/capi-k8s-release/values/images.yml

@@ -1,11 +1,9 @@
 #@data/values
 ---
 images:
-  ccng: cloudfoundry/cloud-controller-ng@sha256:36c889a7188d9c36b8c6230226a87330c5baa2207b8ab5e82d49f40f6061351a
-  cf_api_controllers: cloudfoundry/cf-api-controllers@sha256:afe5933b8d97fe91e6aa6f7b8ec79a478df2838d56ac2736982b61b86dafbe25
+  ccng: gcr.io/cf-capi-arya/dev-ccng@sha256:a13471691197996b5a865f14f3011a3b5af29c348f96e16bcb4b9c09e014bf54
+  cf_api_controllers: gcr.io/cf-capi-arya/dev-controllers@sha256:0506b3302560202c8545286ed63455cf66204cee45b397d7152afab3fbdcc038
   cf_autodetect_builder: cloudfoundry/cnb:0.0.94-bionic@sha256:5b03a853e636b78c44e475bbc514e2b7b140cc41cca8ab907e9753431ae8c0b0
-  nginx: cloudfoundry/capi-nginx@sha256:980f50e190cbff72d23300bc422da23faa888271c2d07ac3abaa65af55a5316a
-  package_image_uploader: cloudfoundry/cf-api-package-image-uploader
+  nginx: cloudfoundry/capi-nginx@sha256:81ce783601c1b471e5d389b9ad62e871d945be77bdaeb0660342fa247e81c8c2
+  package_image_uploader: cloudfoundry/cf-api-package-image-uploader@sha256:aae727a0960d10ce644035dee7041f7e882c7c58a37992252002ce7c95d8804d
   statsd_exporter: oratos/statsd_exporter:v0.15.0@sha256:10a64dc4ad0a3e3fe88372f0481dea5c02595c38d168617836a99a649d3ac407
-kbld:
-  destination: null

config/kapp-rebase-rules.yml

@@ -18,4 +18,4 @@ rebaseRules:
   - apiVersionKindMatcher:
       apiVersion: admissionregistration.k8s.io/v1beta1
       kind: MutatingWebhookConfiguration
-      name: resource.webhook.kpack.pivotal.io
+      name: defaults.webhook.kpack.io