Improve registry and Git config (#1)

* Improve registry and Git config

.github/workflows/release.yml

@@ -18,6 +18,6 @@ jobs:
       registry-server: ghcr.io
       registry-username: ${{ github.actor }}
       image: ${{ github.repository }}
-      version: 0.1.1
+      version: 0.2.0
     secrets:
       pull-request-token: ${{ secrets.GH_ORG_PAT }}

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
     name: Integration Tests
     strategy:
       matrix:
-        k8s_version: [v1.24, v1.25, v1.26]
+        k8s_version: [v1.25, v1.26, v1.27]
     permissions:
       contents: read
     uses: kadras-io/github-reusable-workflows/.github/workflows/carvel-package-test-integration.yml@main

Makefile

@@ -1,4 +1,4 @@
-K8S_VERSION=v1.26
+K8S_VERSION=v1.27
 
 # Build package configuration
 build: package
@@ -26,6 +26,10 @@ ytt:
 schema:
 	ytt -f package/config/values-schema.yml --data-values-schema-inspect -o openapi-v3 > schema-openapi.yml
 
+# Use kbld to resolve the OCI images referenced within the manifests
+kbld:
+	rm -f package/.imgpkg/images.yml && mkdir -p package/.imgpkg && kbld --file package/config --imgpkg-lock-output package/.imgpkg/images.yml 1>> /dev/null
+
 # Check the ytt-annotated Kubernetes configuration and its validation
 test-config:
 	ytt -f package/config --data-values-file test/unit/config/values.yml | kubeconform -ignore-missing-schemas -summary

README.md

@@ -1,18 +1,18 @@
 # Workspace Provisioner
 
-A Carvel package for provisioning and configuring workspaces (namespaces or virtual clusters) with the necessary credentials, roles and limit ranges to work with the Kadras [Engineering Platform](https://github.com/kadras-io/engineering-platform).
-
 ![Test Workflow](https://github.com/kadras-io/workspace-provisioner/actions/workflows/test.yml/badge.svg)
 ![Release Workflow](https://github.com/kadras-io/workspace-provisioner/actions/workflows/release.yml/badge.svg)
-[![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v0.1/levels)
+[![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v1.0/levels)
 [![The Apache 2.0 license badge](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Follow us on Twitter](https://img.shields.io/static/v1?label=Twitter&message=Follow&color=1DA1F2)](https://twitter.com/kadrasIO)
 
+A Carvel package for provisioning and configuring workspaces (namespaces or virtual clusters) with the necessary credentials, roles and limit ranges to work with the Kadras [Engineering Platform](https://github.com/kadras-io/engineering-platform).
+
 ## 🚀  Getting Started
 
 ### Prerequisites
 
-* Kubernetes 1.24+
+* Kubernetes 1.25+
 * Carvel [`kctrl`](https://carvel.dev/kapp-controller/docs/latest/install/#installing-kapp-controller-cli-kctrl) CLI.
 * Carvel [kapp-controller](https://carvel.dev/kapp-controller) deployed in your Kubernetes cluster. You can install it with Carvel [`kapp`](https://carvel.dev/kapp/docs/latest/install) (recommended choice) or `kubectl`.
 
@@ -30,10 +30,9 @@ Workspace Provisioner is used as part of the Kadras [Engineering Platform](https
 Add the Kadras [package repository](https://github.com/kadras-io/kadras-packages) to your Kubernetes cluster:
 
   ```shell
-  kubectl create namespace kadras-packages
   kctrl package repository add -r kadras-packages \
     --url ghcr.io/kadras-io/kadras-packages \
-    -n kadras-packages
+    -n kadras-packages --create-namespace
   ```
 
 <details><summary>Installation without package repository</summary>
@@ -86,6 +85,7 @@ The Workspace Provisioner package can be customized via a `values.yml` file.
   oci_registry:
     secret:
       name: supply-chain-registry-credentials
+      namespace: kadras-packages
   ```
 
 Reference the `values.yml` file from the `kctrl` command when installing or upgrading the package.
@@ -108,14 +108,13 @@ The Workspace Provisioner package has the following configurable properties.
 |-------|-------------------|-------------|
 | `namespaces` | `[]` | Configuration for the namespaces the platform will provision and manage. |
 | `service_account` | `default` | The `ServiceAccount` to be configured with credentials and roles in each workspace. |
-| `oci_registry.secret.name` | `""` | The name of the Secret holding the credentials to access the OCI registry. **Required**. |
-| `oci_registry.secret.namespace` | `""` | The namespace of the Secret holding the credentials to access the OCI registry. **Required**. |
+| `oci_registry.secret.name` | `""` | The name of the Secret holding the credentials to access the OCI registry. |
+| `oci_registry.secret.namespace` | `""` | The namespace of the Secret holding the credentials to access the OCI registry. |
 | `cosign.secret.name` | `""` | The name of the Secret holding the Cosign key pair. |
 | `cosign.secret.namespace` | `""` | The namespace of the Secret holding the Cosign key pair. |
-| `git.server` | `https://github.com` | The Git server hosting the Git repositories used in the GitOps workflows. |
-| `git.credentials.username` | `""` | The username to access the Git repositories. |
-| `git.credesntials.password` | `""` | The password to access the Git repositories. |
-| `git.secret.name` | `supply-chain-git-credentials` | The name of the Secret holding the Git credentials. |
+| `git.server` | `https://github.com` | The Git server hosting the Git repositories used by the platform. |
+| `git.secret.name` | `""` | The name of the Secret holding the Git credentials. |
+| `git.secret.namespace` | `""` | The namespace of the Secret holding the Git credentials. |
 
 </details>
 
@@ -129,6 +128,4 @@ This project is licensed under the **Apache License 2.0**. See [LICENSE](LICENSE
 
 ## 🙏&nbsp; Acknowledgments
 
-This package is inspired by:
-
-* the [namespace setup](https://github.com/vrabbi/tap-oss/tree/main/packages/dev-ns-preperation) included in an example of Tanzu Application Platform OSS stack.
+This package is inspired by the [namespace setup](https://github.com/vrabbi/tap-oss/tree/main/packages/dev-ns-preperation) package developed by [Scott Rosenberg](https://vrabbi.cloud).

package/config/setup-namespaces.yml

@@ -1,15 +1,22 @@
 #@ load("@ytt:data","data")
 
+#@ image_pull_secret_name = "canonical-registry-credentials"
+
+#@ def is_oci_registry_secret_available():
+#@   return data.values.oci_registry.secret.name != "" and data.values.oci_registry.secret.namespace != ""
+#@ end
+
 #@ def is_cosign_secret_available():
 #@   return data.values.cosign.secret.name != "" and data.values.cosign.secret.namespace != ""
 #@ end
 
-#@ def is_git_config_available():
-#@   return data.values.git.server != "" and data.values.git.credentials.username != "" and data.values.git.credentials.password != ""
+#@ def is_git_secret_available():
+#@   return data.values.git.server != "" and data.values.git.secret.name != "" and data.values.git.secret.namespace != ""
 #@ end
 
 #! SECRET EXPORTS
 
+#@ if/end is_oci_registry_secret_available():
 ---
 apiVersion: secretgen.carvel.dev/v1alpha1
 kind: SecretExport
@@ -18,7 +25,9 @@ metadata:
   namespace: #@ data.values.oci_registry.secret.namespace
 spec:
   toNamespaces:
-    - "*"
+    #@ for namespace in data.values.namespaces:
+    - #@ namespace.name
+    #@ end
 
 #@ if/end is_cosign_secret_available():
 ---
@@ -29,7 +38,22 @@ metadata:
   namespace: #@ data.values.cosign.secret.namespace
 spec:
   toNamespaces:
-    - "*"
+    #@ for namespace in data.values.namespaces:
+    - #@ namespace.name
+    #@ end
+
+#@ if/end is_git_secret_available():
+---
+apiVersion: secretgen.carvel.dev/v1alpha1
+kind: SecretExport
+metadata:
+  name: #@ data.values.git.secret.name
+  namespace: #@ data.values.git.secret.namespace
+spec:
+  toNamespaces:
+    #@ for namespace in data.values.namespaces:
+    - #@ namespace.name
+    #@ end
 
 #! NAMESPACES
 
@@ -43,13 +67,13 @@ metadata:
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 
-#! OCI Registry
+#! Image Pull Placeholder Secret (populated by secretgen-controller)
 
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: #@ data.values.oci_registry.secret.name
+  name: #@ image_pull_secret_name
   namespace: #@ namespace.name
   annotations:
     secretgen.carvel.dev/image-pull-secret: ""
@@ -58,22 +82,19 @@ type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: e30K
 
-#! Git
+#! OCI Registry
 
-#@ if/end is_git_config_available():
+#@ if/end is_oci_registry_secret_available():
 ---
-apiVersion: v1
-kind: Secret
+apiVersion: secretgen.carvel.dev/v1alpha1
+kind: SecretImport
 metadata:
-  name: #@ data.values.git.secret.name
+  name: #@ data.values.oci_registry.secret.name
   namespace: #@ namespace.name
   annotations:
-    tekton.dev/git-0: #@ data.values.git.server
     kapp.k14s.io/create-strategy: fallback-on-update
-type: kubernetes.io/basic-auth
-stringData:
-  username: #@ data.values.git.credentials.username
-  password: #@ data.values.git.credentials.password
+spec:
+  fromNamespace: #@ data.values.oci_registry.secret.namespace
 
 #! Cosign
 
@@ -89,6 +110,21 @@ metadata:
 spec:
   fromNamespace: #@ data.values.cosign.secret.namespace
 
+#! Git
+
+#@ if/end is_git_secret_available():
+---
+apiVersion: secretgen.carvel.dev/v1alpha1
+kind: SecretImport
+metadata:
+  name: #@ data.values.git.secret.name
+  namespace: #@ namespace.name
+  annotations:
+    tekton.dev/git-0: #@ data.values.git.server
+    kapp.k14s.io/create-strategy: fallback-on-update
+spec:
+  fromNamespace: #@ data.values.git.secret.namespace
+
 #! RBAC
 
 ---
@@ -100,12 +136,15 @@ metadata:
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 secrets:
+  #@ if/end is_oci_registry_secret_available():
   - name: #@ data.values.oci_registry.secret.name
-  #@ if/end is_git_config_available():
-  - name: #@ data.values.git.secret.name
   #@ if/end is_cosign_secret_available():
   - name: #@ data.values.cosign.secret.name
+  #@ if/end is_git_secret_available():
+  - name: #@ data.values.git.secret.name
 imagePullSecrets:
+  - name: #@ image_pull_secret_name
+  #@ if/end is_oci_registry_secret_available():
   - name: #@ data.values.oci_registry.secret.name
 
 ---

package/config/values-schema.yml

@@ -14,10 +14,8 @@ oci_registry:
   #@schema/desc "Configuration for the Secret holding the credentials to access the OCI registry."
   secret:
     #@schema/desc "The name of the Secret holding the credentials to access the OCI registry."
-    #@schema/validation min_len=1
     name: ""
     #@schema/desc "The namespace of the Secret holding the credentials to access the OCI registry."
-    #@schema/validation min_len=1
     namespace: ""
 
 #@schema/desc "Settings for Cosign, used for signing and verifying OCI artifacts."
@@ -32,15 +30,10 @@ cosign:
 #@schema/desc "Configuration to access the Git repositories used in the GitOps workflows."
 git:
   #@schema/desc "The Git server hosting the Git repositories used in the GitOps workflows."
-  server: https://github.com
-  #@schema/desc "Configuration for Git credentials."
-  credentials:
-    #@schema/desc "The username to access the Git repositories."
-    username: ""
-    #@schema/desc "The password to access the Git repositories."
-    password: ""
+  server: "https://github.com"
   #@schema/desc "Configuration for the Secret holding the Git credentials."
   secret:
     #@schema/desc "The name of the Secret holding the Git credentials."
-    #@schema/validation when=lambda _, ctx: ctx.root["git"]["credentials"]["username"] != "" and ctx.root["git"]["credentials"]["password"] != ""
-    name: supply-chain-git-credentials
+    name: ""
+    #@schema/desc "The namespace of the Secret holding the Git credentials."
+    namespace: ""

test/integration/default/00-prepare.yaml

@@ -0,0 +1,43 @@
+# Namespace
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kadras-packages
+
+#! OCI Registry
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supply-chain-registry-credentials
+  namespace: kadras-packages
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30K
+
+#! Cosign
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supply-chain-cosign-key-pair
+  namespace: kadras-packages
+stringData:
+  cosign.key: key
+  cosign.password: pass
+  cosign.pub: pub
+
+#! Git
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supply-chain-git-credentials 
+  namespace: kadras-packages
+stringData:
+  username: user
+  password: pass

test/integration/default/00-assert.yaml → test/integration/default/01-assert.yaml

@@ -7,18 +7,52 @@ metadata:
   annotations:
     kapp.k14s.io/create-strategy: fallback-on-update
 
-#! OCI Registry
+#! Image Pull Placeholder Secret
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: supply-chain-registry-credentials
+  name: canonical-registry-credentials
   namespace: test-default
   annotations:
     secretgen.carvel.dev/image-pull-secret: ""
     kapp.k14s.io/create-strategy: fallback-on-update
 type: kubernetes.io/dockerconfigjson
 
+#! OCI Registry
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supply-chain-registry-credentials
+  namespace: test-default
+  annotations:
+    kapp.k14s.io/create-strategy: fallback-on-update
+
+#! Cosign
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supply-chain-cosign-key-pair
+  namespace: test-default
+  annotations:
+    kapp.k14s.io/create-strategy: fallback-on-update
+
+#! Git
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supply-chain-git-credentials
+  namespace: test-default
+  annotations:
+    tekton.dev/git-0: https://github.com
+    kapp.k14s.io/create-strategy: fallback-on-update
+
 #! RBAC
 ---
 apiVersion: v1
@@ -30,7 +64,10 @@ metadata:
     kapp.k14s.io/create-strategy: fallback-on-update
 secrets:
   - name: supply-chain-registry-credentials
+  - name: supply-chain-cosign-key-pair
+  - name: supply-chain-git-credentials
 imagePullSecrets:
+  - name: canonical-registry-credentials
   - name: supply-chain-registry-credentials
 
 ---