Manually propagate kpack service-account

Move kind image load into SKIP_DOCKER_BUILD conditional block

Co-authored-by: Dave Walter <walterda@vmware.com>

README.md

@@ -279,6 +279,39 @@ kubectl create secret tls \
 either skip TLS validation or use the `--cacert` flag with the generated
 certificate when connecting to the API.
 
+### Creating a CF Space
+As the current implementation of HNC does not correctly propagate ServiceAccounts, when we `cf create-space`, the ServiceAccount required for image building is absent. We must create the
+ServiceAccount ourselves with a reference to the image registry credentials.
+
+Pre-req: Have a local copy of the required ServiceAccount resource
+```
+cat <<EOF >> kpack-service-account.yml
+—
+apiVersion: v1
+imagePullSecrets:
+- name: image-registry-credentials
+kind: ServiceAccount
+metadata:
+  name: kpack-service-account
+secrets:
+- name: image-registry-credentials
+EOF
+```
+1. Create the cf space
+```
+cf create-org <org_name>
+cf target -o <org_name>
+cf create-space <space_name>
+```
+2. Get the cf space guid which corresponds to the kubernetes namespace in which we create the ServiceAccount
+```
+cf space <space_name> —guid
+```
+3. Apply the service-account yaml to that namespace
+```
+kubectl apply -f kpack-service-account.yml -n <space_guid>
+```
+
 ### Running Tests
 make
 ```sh

api/config/base/config/cf_k8s_api_config.yaml

@@ -1,10 +1,10 @@
 serverURL: "https://api.example.org"
 serverPort: 9000
-rootNamespace: cf-k8s-api-system
+rootNamespace: cf
 defaultLifecycleConfig:
   type: buildpack
   stack: cflinuxfs3
   stagingMemoryMB: 1024
   stagingDiskMB: 1024
 packageRegistryBase: gcr.io/cf-relint-greengrass/cf-k8s-controllers/kpack/beta
-packageRegistrySecretName: image-registry-secret # Create this secret in the rootNamespace
+packageRegistrySecretName: image-registry-credentials # Create this secret in the rootNamespace

api/config/overlays/kind-auth-enabled/config/cf_k8s_api_config.yaml

@@ -1,11 +1,11 @@
 serverURL: http://localhost
 serverPort: 9000
-rootNamespace: cf-k8s-api-system
+rootNamespace: cf
 defaultLifecycleConfig:
   type: buildpack
   stack: cflinuxfs3
   stagingMemoryMB: 1024
   stagingDiskMB: 1024
 packageRegistryBase: gcr.io/cf-relint-greengrass/cf-k8s-controllers/kpack/beta
-packageRegistrySecretName: image-registry-secret # Create this secret in the rootNamespace
+packageRegistrySecretName: image-registry-credentials
 authEnabled: true

api/config/overlays/kind/config/cf_k8s_api_config.yaml

@@ -1,10 +1,10 @@
 serverURL: http://localhost
 serverPort: 9000
-rootNamespace: cf-k8s-api-system
+rootNamespace: cf
 defaultLifecycleConfig:
   type: buildpack
   stack: cflinuxfs3
   stagingMemoryMB: 1024
   stagingDiskMB: 1024
 packageRegistryBase: gcr.io/cf-relint-greengrass/cf-k8s-controllers/kpack/beta
-packageRegistrySecretName: image-registry-secret # Create this secret in the rootNamespace
+packageRegistrySecretName: image-registry-credentials

api/reference/cf-k8s-api.yaml

@@ -209,14 +209,14 @@ data:
   cf_k8s_api_config.yaml: |
     serverURL: "https://api.example.org"
     serverPort: 9000
-    rootNamespace: cf-k8s-api-system
+    rootNamespace: cf
     defaultLifecycleConfig:
       type: buildpack
       stack: cflinuxfs3
       stagingMemoryMB: 1024
       stagingDiskMB: 1024
     packageRegistryBase: gcr.io/cf-relint-greengrass/cf-k8s-controllers/kpack/beta
-    packageRegistrySecretName: image-registry-secret # Create this secret in the rootNamespace
+    packageRegistrySecretName: image-registry-credentials # Create this secret in the rootNamespace
   role_mappings_config.yaml: |
     roleMappings:
       admin: cf-k8s-controllers-admin
@@ -232,7 +232,7 @@ data:
       space_supporter: cf-k8s-controllers-space-supporter
 kind: ConfigMap
 metadata:
-  name: cf-k8s-api-config-62bf886gfh
+  name: cf-k8s-api-config-b5hg59dmk4
   namespace: cf-k8s-api-system
 ---
 apiVersion: v1
@@ -287,7 +287,7 @@ spec:
       serviceAccountName: cf-k8s-api-cf-admin-serviceaccount
       volumes:
       - configMap:
-          name: cf-k8s-api-config-62bf886gfh
+          name: cf-k8s-api-config-b5hg59dmk4
         name: cf-k8s-api-config
 ---
 apiVersion: projectcontour.io/v1

scripts/deploy-on-kind.sh

@@ -42,14 +42,14 @@ deploy_cf_k8s_controllers() {
   pushd $ROOT_DIR > /dev/null
   {
     "$SCRIPT_DIR/install-dependencies.sh"
-    export IMG_CONTROLLERS=${CONTROLLERS_IMG:-"cf-k8s-controllers:$(uuidgen)"}
     export KUBEBUILDER_ASSETS=$ROOT_DIR/testbin/bin
     echo $PWD
     make generate-controllers
     if [[ -z "${SKIP_DOCKER_BUILD:-}" ]]; then
+      export IMG_CONTROLLERS=${CONTROLLERS_IMG:-"cf-k8s-controllers:$(uuidgen)"}
       make docker-build-controllers
+      kind load docker-image --name "$cluster" "$IMG_CONTROLLERS"
     fi
-    kind load docker-image --name "$cluster" "$IMG_CONTROLLERS"
     make install-crds
     make deploy-controllers
   }
@@ -59,11 +59,11 @@ deploy_cf_k8s_controllers() {
 deploy_cf_k8s_api() {
   pushd $ROOT_DIR > /dev/null
   {
-    export IMG_API=${API_IMG:-"cf-k8s-api:$(uuidgen)"}
     if [[ -z "${SKIP_DOCKER_BUILD:-}" ]]; then
+      export IMG_API=${API_IMG:-"cf-k8s-api:$(uuidgen)"}
       make docker-build-api
+      kind load docker-image --name "$cluster" "$IMG_API"
     fi
-    kind load docker-image --name "$cluster" "$IMG_API"
     make deploy-api-kind-auth
   }
   popd > /dev/null

scripts/install-dependencies.sh

@@ -132,9 +132,8 @@ retry kubectl get namespace ping-hnc-child
 retry kubectl hns set --allowCascadingDeletion ping-hnc
 retry kubectl delete namespace ping-hnc --wait=false
 
-# The eirini controller requires a service account and rolebinding, which are
-# used by the statefulset controller to be able to create pods
-retry kubectl hns config set-resource serviceaccounts --mode Propagate
+# Propagate the kpack image registry write secret
+retry kubectl hns config set-resource secrets --mode Propagate
 
 echo "*******************"
 echo "Installing Eirini"