Separate helm charts for registry and engine (#141)

Makefile

@@ -12,12 +12,8 @@ test:
 
 .PHONY: helm
 helm:
-	sed -i.bak 's/0.0.0-development/$(tag:v%=%)/g' helm/charts/infra/Chart.yaml
-	sed -i.bak 's/0.0.0-development/$(tag:v%=%)/g' helm/charts/infra/charts/engine/Chart.yaml
-	helm package -d ./helm helm/charts/infra helm/charts/infra/charts/engine
+	helm package -d ./helm helm/charts/infra helm/charts/engine --version $(tag) --app-version $(tag)
 	helm repo index ./helm
-	mv helm/charts/infra/Chart.yaml.bak helm/charts/infra/Chart.yaml
-	mv helm/charts/infra/charts/engine/Chart.yaml.bak helm/charts/infra/charts/engine/Chart.yaml
 
 .PHONY: docs
 docs:
@@ -46,7 +42,8 @@ build:
 dev:
 	kubectl config use-context docker-desktop
 	docker build . -t infrahq/infra:0.0.0-development
-	helm upgrade --install infra ./helm/charts/infra --set image.pullPolicy=Never --set image.tag=0.0.0-development  --set engine.image.tag=0.0.0-development --set engine.image.pullPolicy=Never
+	helm upgrade --install infra ./helm/charts/infra --set image.pullPolicy=Never --set image.tag=0.0.0-development
+	helm upgrade --install infra-engine ./helm/charts/engine --set image.pullPolicy=Never --set image.tag=0.0.0-development --set registry=infra --set apiKey=$(kubectl get secrets/infra --template={{.data.defaultApiKey}} | base64 -D)
 	kubectl rollout restart deployment/infra
 	kubectl rollout restart deployment/infra-engine
 

README.md

@@ -18,8 +18,6 @@ Infra is **identity and access management** for Kubernetes. Provide any user fin
 
 ## Quickstart
 
-### Install Infra
-
 ```
 helm repo add infrahq https://helm.infrahq.com
 helm install infra infrahq/infra
@@ -61,14 +59,14 @@ kubectl config use-context <name>
 Great! You've **logged into your cluster via Infra**. 
 
 ### Next steps 
+* [Configure Infra](./docs/configuration.md)
 * [Add users via Okta integration](./docs/okta.md)
 * [Connect a Kubernetes cluster](./docs/connect.md)
-* Add a [custom domain](./docs/domain.md) to infra login for quick access 
+* [Add a custom domain](./docs/domain.md)
 
 ## Documentation
-* [Helm Chart](./docs/helm.md)
+* [Helm Chart Reference](./docs/helm.md)
 * [CLI Reference](./docs/cli.md)
-* [Configuration Reference](./docs/configuration.md)
 * [Contributing](./docs/contributing.md)
 
 ## Security

docs/configuration.md

@@ -1,59 +1,37 @@
-# Configuration Reference
+# Configuring Infra
 
 * [Example](#example)
 * [ConfigMap Usage](#configmap-usage)
 * [Reference](#reference)
   * [`sources`](#sources)
     * [`okta`](#okta)
-  * [`roles`](#roles)
-    * [`user`](#user)
-    * [`destination`](#destination)
-    * [`role`](#role)
+  * [`users`](#users)
+    * [`name`](#user)
+    * [`roles`](#roles)
 
 ## Overview
 
 For teams who require configuration to be stored in version control, Infra can be managed via a configuration file, `infra.yaml`.
 
-## Kubernetes ConfigMap Example
-
-To specify via Kubernetes, create a ConfigMap as show below:
-
-```bash
-cat <<EOF | kubectl apply -f -
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: infra
-  namespace: infra
-data:
-  infra.yaml: |
-    sources:
-      - type: okta
-        oktaDomain: acme.okta.com
-        oktaClientId: 0oapn0qwiQPiMIyR35d6
-        oktaClientSecret: jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2
-        oktaApiToken: 001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd
-    users:
-      admin@example.com:
-        roles:
-          admin:
-            kind: cluster-role
-            clusters:
-              - cluster-AAA
-              - cluster-BBB
-      bob@example.com:
-        roles:
-          writer:
-            kind: cluster-role
-            clusters:
-              - cluster-AAA
-EOF
+## Create a configuration file
+
+First, create a config file `infra.yaml`:
+
+```
+users:
+  - name: admin@example.com
+    roles:
+      - name: admin
+        kind: cluster-role
+        clusters:
+          - cluster-AAA
+          - cluster-BBB
 ```
 
-Then, restart Infra server to apply the change:
+Then, apply it to the Infra registry:
 
 ```
-kubectl rollout restart -n infra deployment/infra
+helm upgrade infra --set-file config=./infra.yaml --recreate-pods
 ```
 
 ## Full Example
@@ -82,28 +60,19 @@ users:
           - cluster-AAA
 ```
 
-## Reference
+## Configuration Reference
 
 ### `sources`
 
-#### `okta`
-
-* `domain`: Okta domain
-* `client-id`: Client ID for the Okta application
-* `client-secret`: Client Secret for the Okta application
-* `api-token`: Okta API Token
-
-### `roles`
-
-### `user`
+A list of sources to sync and authenticate users from
 
-`user` is a user's email
+### `users`
 
-### `destination`
+#### `name`
 
-`destination` is a target destination to grant access to, e.g. the kubernetes cluster name
+`name` is a user's email or username
 
-### `role`
+#### `roles`
 
-`role` is a kubernetes cluster role
+`roles` is a list of role mappings to Kubernetes roles
 

docs/okta.md

@@ -53,7 +53,7 @@ sources:
 Then apply this config change:
 
 ```
-helm upgrade infra --set config=./infra.yaml --recreate-pods
+helm upgrade infra --set-file config=./infra.yaml --recreate-pods
 ```
 
 ### List users

helm/charts/engine/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: infra-engine
+  namespace: {{ .Release.Namespace }}
+  labels:
+type: Opaque
+data:
+  api-key: {{ .Values.apiKey | b64enc | quote }}

helm/charts/infra/templates/_helpers.tpl

@@ -15,3 +15,12 @@ Return the appropriate apiVersion for ingress
 {{- print "networking.k8s.io/v1" -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "infra.defaultApiKey" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace "infra" ) -}}
+  {{- if $secret -}}
+    {{-  index $secret "data" "api-key" | b64dec -}}
+  {{- else -}}
+    {{- (randAlphaNum 24) -}}
+  {{- end -}}
+{{- end -}}

helm/charts/infra/templates/configmap.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.config }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: infra
+  namespace: {{ .Release.Namespace }}
+data:
+  infra.yaml:
+    {{ toYaml .Values.config | indent 4 }}
+{{- end }}

helm/charts/infra/templates/deployment.yaml

@@ -23,8 +23,8 @@ spec:
             - name: INFRA_REGISTRY_DEFAULT_API_KEY
               valueFrom:
                 secretKeyRef:
-                  name: infra-engine
-                  key: api-key
+                  name: infra
+                  key: defaultApiKey
                   optional: true
           ports:
             - containerPort: 443

helm/charts/infra/templates/secret.yaml

@@ -7,7 +7,7 @@ metadata:
 type: Opaque
 data:
   {{- if .Values.defaultApiKey }}
-  default-api-key: {{ .Values.defaultApiKey | b64enc | quote }}
+  defaultApiKey: {{ .Values.defaultApiKey | b64enc | quote }}
   {{- else }}
-  default-api-key: {{ include "infra.defaultApiKey" . | b64enc | quote }}
+  defaultApiKey: {{ include "infra.defaultApiKey" . | b64enc | quote }}
   {{- end }}

helm/charts/infra/values.yaml

@@ -1,5 +1,6 @@
 storage: 1Gi
 defaultApiKey: ""
+config: ""
 
 image:
   repository: infrahq/infra
@@ -30,10 +31,3 @@ ingress:
     servicePort: 80
     annotations: {}
     labels: {}
-
-engine:
-  registry: "infra"
-  image:
-    repository: infrahq/infra
-    tag: ""
-    pullPolicy: IfNotPresent