Merge branch 'release/2.6.5'

vmware-tanzu-labs · Aug 25, 2023 · 374ff3b · 374ff3b
2 parents 91d5a6e + 6b98234
commit 374ff3b
Show file tree

Hide file tree

Showing 7 changed files with 142 additions and 22 deletions.
diff --git a/carvel-packages/training-platform/bundle/config/00-schema.yaml b/carvel-packages/training-platform/bundle/config/00-schema.yaml
@@ -278,7 +278,7 @@ websiteStyling:
   frameAncestors:
   - ""
 
-#! Pre-pull selected Educates images to nodes in the cluster. Should be empty
+#! Pre-pull selected workshop images to nodes in the cluster. Should be empty
 #! list if no images should be prepulled. This is done to reduce start up times
 #! for workhop sessions the first time on each node in the cluster.
 

diff --git a/carvel-packages/training-platform/bundle/config/11-session-manager/07-daemonsets.yaml b/carvel-packages/training-platform/bundle/config/11-session-manager/07-daemonsets.yaml
@@ -1,8 +1,11 @@
 #@ load("@ytt:data", "data")
 #@ load("/00-package.star", "image_reference", "image_pull_secrets", "image_pull_policy")
 
+#@ prepull = ["training-portal"]
+#@ prepull.extend(data.values.imagePuller.prePullImages)
+
 ---
-#@ if data.values.imagePuller.prePullImages:
+#@ if prepull:
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -25,7 +28,6 @@ spec:
         #!   type: RuntimeDefault
       initContainers:
       #@ images = data.values.imageVersions
-      #@ prepull = data.values.imagePuller.prePullImages
       #@ for i in range(len(prepull)):
       #@ image = image_reference(prepull[i])
       #@ if image:

diff --git a/client-programs/pkg/cmd/admin_cluster_create_cmd.go b/client-programs/pkg/cmd/admin_cluster_create_cmd.go
@@ -8,8 +8,10 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path"
 	"time"
 
+	"github.com/adrg/xdg"
 	"github.com/cppforlife/go-cli-ui/ui"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -22,6 +24,11 @@ import (
 	"github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd/core"
 	"github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd/tools"
 	"github.com/vmware-tanzu/carvel-kapp/pkg/kapp/logger"
+	"gopkg.in/yaml.v2"
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kubectl/pkg/scheme"
 
 	"github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/cluster"
 	"github.com/vmware-tanzu-labs/educates-training-platform/client-programs/pkg/config"
@@ -31,11 +38,13 @@ import (
 )
 
 type AdminClusterCreateOptions struct {
-	Config     string
-	Kubeconfig string
-	Image      string
-	Domain     string
-	Version    string
+	Config       string
+	Kubeconfig   string
+	Image        string
+	Domain       string
+	Version      string
+	WithServices bool
+	WithPlatform bool
 }
 
 func (o *AdminClusterCreateOptions) Run() error {
@@ -129,10 +138,76 @@ func (o *AdminClusterCreateOptions) Run() error {
 		},
 	}
 
+	var deploymentFiles []string
+
+	if fullConfig.ClusterIngress.CACertificateRef.Name != "" {
+		configFileDir := path.Join(xdg.DataHome, "educates")
+		secretsCacheDir := path.Join(configFileDir, "secrets")
+		name := fullConfig.ClusterIngress.CACertificateRef.Name + ".yaml"
+		certificateFullPath := path.Join(secretsCacheDir, name)
+
+		secretYAML, err := os.ReadFile(certificateFullPath)
+
+		if err != nil {
+			return errors.Wrap(err, "unable to read CA certificate secret file")
+		}
+
+		parsedSecret := &apiv1.Secret{}
+		decoder := scheme.Codecs.UniversalDeserializer()
+
+		_, _, err = decoder.Decode([]byte(secretYAML), nil, parsedSecret)
+
+		if err != nil {
+			return errors.Wrap(err, "unable to parse CA certificate secret file")
+		}
+
+		certificateData, found := parsedSecret.Data["ca.crt"]
+
+		if !found {
+			return errors.New("CA certificate secret file doesn't contain ca.crt")
+		}
+
+		kappConfigSecret := &apiv1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "Secret",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "kapp-controller-config",
+				Namespace: "kapp-controller",
+			},
+			StringData: map[string]string{
+				"caCerts": string(certificateData),
+			},
+		}
+
+		kappConfigObject, err := runtime.DefaultUnstructuredConverter.ToUnstructured(kappConfigSecret)
+
+		if err != nil {
+			return errors.Wrap(err, "cannot convert kapp-controller config to object")
+		}
+
+		kappConfigYAML, err := yaml.Marshal(&kappConfigObject)
+
+		if err != nil {
+			return errors.Wrap(err, "couldn't generate YAML for kapp-controller config")
+		}
+
+		kappConfigPath := path.Join(configFileDir, "kapp-controller-config.yaml")
+
+		err = os.WriteFile(kappConfigPath, kappConfigYAML, 0644)
+
+		if err != nil {
+			return errors.Wrap(err, "cannot write kapp-controller config file")
+		}
+
+		deploymentFiles = append(deploymentFiles, kappConfigPath)
+	}
+
+	deploymentFiles = append(deploymentFiles, "https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml")
+
 	kappConfig.FileFlags = tools.FileFlags{
-		Files: []string{
-			"https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml",
-		},
+		Files: deploymentFiles,
 	}
 
 	kappConfig.ApplyFlags.ClusterChangeOpts.Wait = true
@@ -169,14 +244,22 @@ func (o *AdminClusterCreateOptions) Run() error {
 		return errors.Wrap(err, "failed to create service for registry")
 	}
 
+	if !o.WithServices {
+		return nil
+	}
+
 	servicesConfig := config.ClusterEssentialsConfig{
 		ClusterInfrastructure: fullConfig.ClusterInfrastructure,
 		ClusterPackages:       fullConfig.ClusterPackages,
 		ClusterSecurity:       fullConfig.ClusterSecurity,
 	}
 
 	if err = services.DeployServices(o.Version, &clusterConfig.ClusterConfig, &servicesConfig); err != nil {
-		return errors.Wrap(err, "failed to deploy services")
+		return errors.Wrap(err, "failed to deploy cluster essentials services")
+	}
+
+	if !o.WithPlatform {
+		return nil
 	}
 
 	platformConfig := config.TrainingPlatformConfig{
@@ -197,7 +280,7 @@ func (o *AdminClusterCreateOptions) Run() error {
 	}
 
 	if err = operators.DeployOperators(o.Version, &clusterConfig.ClusterConfig, &platformConfig); err != nil {
-		return errors.Wrap(err, "failed to deploy operators")
+		return errors.Wrap(err, "failed to deploy training platform components")
 	}
 
 	return nil
@@ -243,6 +326,18 @@ func (p *ProjectInfo) NewAdminClusterCreateCmd() *cobra.Command {
 		p.Version,
 		"version of Educates training platform to be installed",
 	)
+	c.Flags().BoolVar(
+		&o.WithServices,
+		"with-services",
+		true,
+		"deploy extra cluster services required for Educates",
+	)
+	c.Flags().BoolVar(
+		&o.WithPlatform,
+		"with-platform",
+		true,
+		"deploy all the Educates training platform components",
+	)
 
 	return c
 }

diff --git a/session-manager/handlers/workshopenvironment.py b/session-manager/handlers/workshopenvironment.py
@@ -1,5 +1,6 @@
 import os
 import base64
+import copy
 
 import yaml
 
@@ -557,17 +558,22 @@ def workshop_environment_create(
 
     # Create a config map in the workshop namespace which contains the details
     # about the workshop. This will be mounted into workshop instances so they
-    # can derive information to configure themselves.
+    # can derive information to configure themselves. We need to make sure not
+    # including potentially sensitive details such as lists of Kubernetes
+    # resources or docker-compose config.
+
+    applications_config = workshop_spec.get("session", {}).get("applications", {})
+    applications_config = copy.deepcopy(applications_config)
+    applications_config.get("docker", {}).pop("compose", None)
+    applications_config.get("vcluster", {}).pop("objects", None)
 
     workshop_config = {
         "spec": {
             "title": workshop_spec.get("title", ""),
             "description": workshop_spec.get("description", ""),
             "version": workshop_spec.get("version", "latest"),
             "session": {
-                "applications": workshop_spec.get("session", {}).get(
-                    "applications", []
-                ),
+                "applications": applications_config,
                 "ingresses": workshop_spec.get("session", {}).get("ingresses", []),
                 "dashboards": workshop_spec.get("session", {}).get("dashboards", []),
             },

diff --git a/session-manager/handlers/workshopsession.py b/session-manager/handlers/workshopsession.py
@@ -1680,6 +1680,11 @@ def resolve_security_policy(name):
     if storage_volume_subpath:
         packages_volume_subpath = f"{storage_volume_subpath}/{packages_volume_subpath}"
 
+    git_repos_volume_subpath = "opt/git/repositories"
+
+    if storage_volume_subpath:
+        git_repos_volume_subpath = f"{storage_volume_subpath}/{git_repos_volume_subpath}"
+
     if storage_volume_name:
         deployment_pod_template_spec["volumes"].append(
             {
@@ -1731,6 +1736,11 @@ def resolve_security_policy(name):
                 "mountPath": "/opt/packages",
                 "subPath": packages_volume_subpath,
             },
+            {
+                "name": "workshop-data",
+                "mountPath": "/opt/git/repositories",
+                "subPath": git_repos_volume_subpath,
+            },
         ]
     )
 
@@ -2781,8 +2791,8 @@ def _apply_environment_patch(patch):
             "type": "ClusterIP",
             "ports": [
                 {
-                    "name": "10080-tcp",
-                    "port": 10080,
+                    "name": "80-tcp",
+                    "port": 80,
                     "protocol": "TCP",
                     "targetPort": 10080,
                 }
@@ -2815,7 +2825,7 @@ def _apply_environment_patch(patch):
                         "backend": {
                             "service": {
                                 "name": session_namespace,
-                                "port": {"number": 10080},
+                                "port": {"number": 80},
                             }
                         },
                     }
@@ -2888,7 +2898,7 @@ def _apply_environment_patch(patch):
                             "backend": {
                                 "service": {
                                     "name": session_namespace,
-                                    "port": {"number": 10080},
+                                    "port": {"number": 80},
                                 }
                             },
                         }

diff --git a/training-portal/src/project/apps/workshops/manager/cleanup.py b/training-portal/src/project/apps/workshops/manager/cleanup.py
@@ -91,7 +91,7 @@ def purge_expired_workshop_sessions():
                     # host = f"{session.name}.{settings.INGRESS_DOMAIN}"
                     # url = f"{settings.INGRESS_PROTOCOL}://{host}/session/activity"
 
-                    url = f"http://{session.name}.{session.environment.name}:10080/session/activity"
+                    url = f"http://{session.name}.{session.environment.name}/session/activity"
 
                     response = requests.get(url)
 

diff --git a/workshop-images/base-environment/opt/eduk8s/etc/setup.d/01-kubernetes.sh b/workshop-images/base-environment/opt/eduk8s/etc/setup.d/01-kubernetes.sh
@@ -54,6 +54,13 @@ if [ -z "$KUBECTL_VERSION" ]; then
     KUBECTL_VERSION=1.27
 fi
 
+# Restrict access permissions on kubeconfig file as some clients will complain
+# if it is readable by group or others.
+
+if [ -f $HOME/.kube/config ]; then
+    chmod 0600 $HOME/.kube/config
+fi
+
 # Determine the server URL and current namespace when using a kubeconfig file.
 
 if [ -f $HOME/.kube/config ]; then