ytt templates refactoring and upgrading to v0.1.0 (#4)

* feat(ytt): initial values

* fix(chart): add function to imports

* feat(ytt): added crds

* fix(ytt): fixed loglevel "default" logic

* fix(ytt): added "v" to image tag parser

* feat(ytt): added monitoring sa

* fix(ytt): modified webhook strategy

* feat(ytt): sync with v0.1.0 1035afc

Co-authored-by: alegrey91 <ale_grey_91@hotmail.it>

.gitignore

@@ -0,0 +1,4 @@
+# do not track temporary files
+*.tmp
+*.bak
+*.swp

templates/ca.yaml → ca.yaml

@@ -1,5 +1,5 @@
 #@ load("@ytt:data", "data")
-#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels")
+#@ load("config.lib.yml", "labels", "secretCaName")
 
 apiVersion: v1
 kind: Secret

capsuleconfiguration-crd.yaml

@@ -0,0 +1,56 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+  creationTimestamp: null
+  name: capsuleconfigurations.capsule.clastix.io
+spec:
+  group: capsule.clastix.io
+  names:
+    kind: CapsuleConfiguration
+    listKind: CapsuleConfigurationList
+    plural: capsuleconfigurations
+    singular: capsuleconfiguration
+  scope: Cluster
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: CapsuleConfiguration is the Schema for the Capsule configuration API
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: CapsuleConfigurationSpec defines the Capsule configuration
+              properties:
+                forceTenantPrefix:
+                  default: false
+                  description: Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
+                  type: boolean
+                protectedNamespaceRegex:
+                  description: Disallow creation of namespaces, whose name matches this regexp
+                  type: string
+                userGroups:
+                  default:
+                    - capsule.clastix.io
+                  description: Names of the groups for Capsule users.
+                  items:
+                    type: string
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

templates/certs.yaml → certs.yaml

@@ -1,5 +1,5 @@
 #@ load("@ytt:data", "data")
-#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels")
+#@ load("config.lib.yml", "labels", "secretTlsName")
 
 apiVersion: v1
 kind: Secret

templates/config.lib.yml → config.lib.yml

@@ -54,20 +54,20 @@ app.kubernetes.io/instance: #@ v.release.name
 #!Create the manager fully-qualified Docker image to use
 #@ def managerFullyQualifiedDockerImage():
 #@   if v.manager.image.tag:
-#@     return v.manager.image.repository + ":" + v.manager.image.tag
+#@     return v.manager.image.repository + ":v" + v.manager.image.tag
 #@   else:
-#@     return v.manager.image.repository + ":" + v.chart.appVersion
+#@     return v.manager.image.repository + ":v" + v.chart.appVersion
 #@   end
 #@ end
 
 #!Create the proxy fully-qualified Docker image to use
 #@ def proxyFullyQualifiedDockerImage():
-#@   return v.proxy.image.repository + ":" + v.proxy.image.tag
+#@   return v.proxy.image.repository + ":v" + v.proxy.image.tag
 #@ end
 
 #!Create the jobs fully-qualified Docker image to use
 #@ def jobsFullyQualifiedDockerImage():
-#@   return v.jobs.image.repository + ":" + v.jobs.image.tag
+#@   return v.jobs.image.repository + ":v" + v.jobs.image.tag
 #@ end
 
 #!Create the Capsule Deployment name to use
@@ -76,12 +76,11 @@ app.kubernetes.io/instance: #@ v.release.name
 #@ end
 
 #!Create the Capsule CA Secret name to use
-#@ def secretName():
+#@ def secretCaName():
 #@   return fullName() + "-ca"
 #@ end
 
 #!Create the Capsule TLS Secret name to use
-
 #@ def secretTlsName():
 #@   return fullName() + "-tls"
 #@ end

configmap.yaml

@@ -0,0 +1,26 @@
+#@ load("@ytt:data", "data")
+#@ load("config.lib.yml", "secretTlsName", "secretCaName", "fullName")
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: #@ fullName() + "-kapp-config"
+  labels:
+    kapp.k14s.io/config: ""
+data:
+  config.yml: |
+    apiVersion: kapp.k14s.io/v1alpha1
+    kind: Config
+    rebaseRules:
+    - path: [data]
+      type: copy
+      sources: [existing, new]
+      resourceMatchers:
+      - kindNamespaceNameMatcher:
+          kind: Secret
+          namespace: #@ data.values.release.namespace
+          name: #@ secretTlsName()
+      - kindNamespaceNameMatcher:
+          kind: Secret
+          namespace: #@ data.values.release.namespace
+          name: #@ secretCaName()

templates/configuration-default.yaml → configuration-default.yaml

@@ -1,14 +1,16 @@
 #@ load("@ytt:data", "data")
+#@ load("config.lib.yml", "labels")
 
 apiVersion: capsule.clastix.io/v1alpha1
 kind: CapsuleConfiguration
 metadata:
   name: default
+  labels: #@ labels()
 spec:
   forceTenantPrefix: #@ data.values.manager.options.forceTenantPrefix
   userGroups:
   #@ for/end item in data.values.manager.options.capsuleUserGroups:
   - #@ item
   protectedNamespaceRegex: #@ data.values.manager.options.protectedNamespaceRegex
-  allowTenantIngressHostnamesCollision: #@ data.values.manager.options.allowTenantIngressHostnamesCollision
-  allowIngressHostnameCollision: #@ data.values.manager.options.allowIngressHostnameCollision
+  #!allowTenantIngressHostnamesCollision: #@ data.values.manager.options.allowTenantIngressHostnamesCollision
+  #!allowIngressHostnameCollision: #@ data.values.manager.options.allowIngressHostnameCollision

templates/deployment.yaml → deployment.yaml

@@ -21,7 +21,7 @@ spec:
       hostNetwork: true
       #@ end
       priorityClassName: #@ data.values.priorityClassName
-      nodeSelector: #@ data.values.imagePullSecrets
+      nodeSelector: #@ data.values.nodeSelector
       tolerations: #@ data.values.tolerations
       affinity: #@ data.values.affinity
       volumes:
@@ -35,7 +35,7 @@ spec:
           - /manager
           args:
           - --enable-leader-election
-          - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
+          - #@ "--zap-log-level=" + data.values.manager.options.logLevel if data.values.manager.options.logLevel else 4
           - --configuration-name=default
           image: #@ managerFullyQualifiedDockerImage()
           imagePullPolicy: #@ data.values.manager.image.pullPolicy
@@ -51,15 +51,12 @@ spec:
             - name: metrics
               containerPort: 8080
               protocol: TCP
-          livenessProbe:
-            #@ data.values.manager.livenessProbe
-          readinessProbe:
-            #@ data.values.manager.readinessProbe
+          livenessProbe: #@ data.values.manager.livenessProbe
+          readinessProbe: #@ data.values.manager.readinessProbe
           volumeMounts:
           - mountPath: /tmp/k8s-webhook-server/serving-certs
             name: cert
             readOnly: true
-          resources:
-            #@ data.values.manager.resources
+          resources: #@ data.values.manager.resources
           securityContext:
             allowPrivilegeEscalation: false

templates/metrics-rbac.yaml → metrics-rbac.yaml

@@ -7,7 +7,7 @@ kind: Role
 metadata:
   labels: #@ labels()
   #@ if data.values.serviceMonitor.labels:
-  #@  return data.values.serviceMonitor.labels
+  #@   data.values.serviceMonitor.labels
   #@ end
   name: #@ fullName() + "-metrics-role"
   namespace: #@ data.values.serviceMonitor.namespace if data.values.serviceMonitor.namespace else data.values.release.namespace
@@ -28,7 +28,7 @@ kind: RoleBinding
 metadata:
   labels: #@ labels()
   #@ if data.values.serviceMonitor.labels:
-  #@  return data.values.serviceMonitor.labels
+  #@   data.values.serviceMonitor.labels
   #@ end
   name: #@ fullName() + "-metrics-rolebinding"
   namespace: #@ data.values.serviceMonitor.namespace if data.values.serviceMonitor.namespace else data.values.release.namespace

templates/podsecuritypolicy.yaml → podsecuritypolicy.yaml

@@ -1,7 +1,7 @@
 #@ load("@ytt:data", "data")
-#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels")
+#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels", "serviceAccountName")
 
-#@ if data.values.podSecurityPolicy.enabled:
+#@ if not data.values.podSecurityPolicy.enabled:
 kind: PodSecurityPolicy
 apiVersion: policy/v1beta1
 metadata:
@@ -51,4 +51,4 @@ subjects:
 - apiGroup: ""
   kind: ServiceAccount
   name: #@ serviceAccountName()
-#@ end
+#@ end

templates/rbac.yaml → rbac.yaml

@@ -1,5 +1,5 @@
 #@ load("@ytt:data", "data")
-#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels")
+#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels", "serviceAccountName")
 
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -34,7 +34,7 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ fullName() + "-metrics-reader"
+  name: #@ fullName() + "-proxy-rolebinding"
   labels: #@ labels()
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -57,4 +57,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: #@ serviceAccountName()
-  namespace: #@ data.values.release.namespace
+  namespace: #@ data.values.release.namespace

templates/serviceaccount.yaml → serviceaccount.yaml

@@ -1,14 +1,13 @@
 #@ load("@ytt:data", "data")
-#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels")
+#@ load("config.lib.yml", "name", "fullName", "chart", "labels", "selectorLabels", "serviceAccountName")
 
 #@ if data.values.serviceAccount.create:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: #@ serviceAccountName()
   labels: #@ labels()
-  annotations:
-  #@ if data.values.annotations:
-    #@  return data.values.serviceMonitor.labels
+  #@ if data.values.serviceAccount.annotations:
+  annotations: #@ data.values.serviceAccount.annotations
   #@ end
 #@ end

templates/servicemonitor.yaml → servicemonitor.yaml

@@ -9,7 +9,7 @@ metadata:
   namespace: #@ data.values.serviceMonitor.namespace if data.values.serviceMonitor.namespace else data.values.release.namespace
   labels: #@ labels()
   #@ if data.values.serviceMonitor.labels:
-  #@  return data.values.serviceMonitor.labels
+  #@   data.values.serviceMonitor.labels
   #@ end
 spec:
   endpoints: