Update k14s support with local deploy and image specified based on sha

.gitignore

@@ -1,4 +1,3 @@
-
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -9,17 +8,17 @@ bin
 
 # Test binary, build with `go test -c`
 *.test
-
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
 # Kubernetes Generated files - skip generated files, except for vendored files
-
 !vendor/**/zz_generated.*
 
 # editor and IDE paraphernalia
 .idea
 *.swp
 *.swo
 *~
+
 .envrc
+build/*.lock.copied

Makefile

@@ -84,5 +84,8 @@ format:
 kapp-deploy:
 	./scripts/kapp-deploy
 
+kapp-local-deploy:
+	./scripts/kapp-deploy --local
+
 kapp-delete:
-	kapp delete -a projects-operator -y
+	./scripts/kapp-delete

README.md

@@ -7,11 +7,16 @@ controller.  `Projects` are intended to provide isolation of kubernetes
 resources on a single kubernetes cluster.  A `Project` is essentially a
 kubernetes namespace along with a corresponding set of RBAC rules.
 
-## Installation and Usage
+## Installation
 
-`projects-operator` is currently deployed using [k14s](https://k14s.io).
+### Prerequisites
 
-You must first create a `ClusterRole` that contains the RBAC
+* **kubectl**: For installation instructions, see [Install and Set Up kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) in the Kubernetes documentation.
+* **Docker CLI**: For installation instructions, see the [Docker documentation](https://docs.docker.com/install).
+* **k14s tools**: For installation instructions, see [k14s.io](https://k14s.io).
+* **A Kubernetes cluster**: This will be where the CF Service Bridge components get installed.
+
+You must also create a `ClusterRole` that contains the RBAC
 rules you wish to be applied to each created `Project`. For example:
 
 ```yaml
@@ -27,33 +32,36 @@ rules:
   verbs:
   - "*"
 ```
+The env var `CLUSTE_ROLE_REF` should be set to the name of the ClusterRole. 
 
-### Install
-
-Then you will need to build and push the projects-operator image to a registry.
+### Standard install
 
-```bash
-$ docker build -t <REGISTRY_HOSTNAME>/<REGISTRY_PROJECT>/projects-operator .
-$ docker push <REGISTRY_HOSTNAME>/<REGISTRY_PROJECT>/projects-operator
+The default image registry for cf-service-bridge is dev.registry.pivotal.io. If
+you have access to this registry, then you need only set the `INSTANCE`, `REGISTRY_USERNAME`,
+`REGISTRY_PASSWORD` and `CLUSTER_ROLE_REF` env vars, then run `./scripts/kapp-deploy`.
 
-# For example, docker build -t gcr.io/team-a/projects-operator .
-```
+### Custom install
 
-Then finally you can run the [/scripts/kapp-deploy](/scripts/kapp-deploy) script
-to deploy projects-operator.
+If you don't have access to the default registry, or if you are working on
+cf-service-bridge and wish to deploy your local changes (i.e. for testing), we
+will need to build and push the image to a custom registry. This can be done by
+setting the following env vars:
 
 ```bash
-
 export INSTANCE=<UNIQUE STRING TO IDENTIFY THIS DEPLOYMENT>
 export REGISTRY_HOSTNAME=<REGISTRY_HOSTNAME> # e.g. "gcr.io", "my.private.harbor.com", etc.
 export REGISTRY_PROJECT=<REGISTRY_PROJECT>   # e.g. "team-a", "dev", etc.
 export REGISTRY_USERNAME=<REGISTRY_PASSWORD>
 export REGISTRY_PASSWORD=<REGISTRY_PASSWORD>
 export CLUSTER_ROLE_REF=my-clusterrole-with-rbac-for-each-project
-
-$ ./scripts/kapp-deploy
 ```
 
+Then run `make kapp-local-deploy`. NB: you will need to
+have a docker daemon running and you will need to have run `docker login` for
+the registry you are using.
+
+## Using Projects Operator
+
 ### Creating a Project
 
 Apply projects yaml with a project name and a list of users/groups/serviceaccounts who have access, for example:
@@ -77,7 +85,7 @@ spec:
 ### Uninstall
 
 ```bash
-kapp -n <NAMESPACE> delete -a projects-operator
+make kapp-delete
 ```
 
 ### Webhooks

build/kbld.yaml

@@ -0,0 +1,13 @@
+#@ load("@ytt:data", "data")
+---
+apiVersion: kbld.k14s.io/v1alpha1
+kind: Sources
+sources:
+- imageRepo: dev.registry.pivotal.io/developer-console/projects-operator
+  path: .
+---
+apiVersion: kbld.k14s.io/v1alpha1
+kind: ImageDestinations
+destinations:
+- imageRepo: dev.registry.pivotal.io/developer-console/projects-operator
+  newImage: #@ data.values.registry.hostname + '/' + data.values.registry.project + '/dev-projects-operator'

build/rbac-proxy-relocation.yaml

@@ -0,0 +1,3 @@
+---
+images:
+- image: dev.registry.pivotal.io/developer-console/kube-rbac-proxy:v0.4.1

ci/pipeline.yml

@@ -96,6 +96,8 @@ jobs:
       passed: [build]
       params:
         format: oci
+  - task: bump-image-ref
+    file: projects-operator/ci/tasks/bump-image-ref.yml
   - task: kapp-deploy
     file: projects-operator/ci/tasks/kapp-deploy.yml
     params:
@@ -114,6 +116,9 @@ jobs:
       CLUSTER_API_LOCATION: {{CLUSTER_API_LOCATION}}
       CLUSTER_NAME: ci-projects-operator
       DEVELOPER_PASSWORD: {{DEVELOPER_PASSWORD}}
+  - put: projects-operator-bump
+    params:
+      repository: projects-operator
 
 - name: promote-final
   plan:
@@ -164,6 +169,16 @@ jobs:
 
 resources:
 - name: projects-operator
+  type: git
+  icon: git
+  source:
+    private_key: {{PROJECTS_OPERATOR_DEPLOY_KEY}}
+    uri: git@github.com:pivotal/projects-operator
+    branch: master
+    ignore_paths:
+    - deployments/k8s/values/images.yaml
+
+- name: projects-operator-bump
   type: git
   icon: git
   source:

ci/scripts/assemble-build-artefact.sh

@@ -1,8 +1,8 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
 VERSION=$(cat version/version)
 
-sed -i "s/version:.*/version:\ ${VERSION}/" projects-operator/deployments/k8s/values.yaml
+sed -i "s/version:.*/version:\ ${VERSION}/" "projects-operator/deployments/k8s/values/_default.yaml"
 
-tar -czf projects-operator-${VERSION}.tgz -C projects-operator/deployments --transform "s/k8s/projects-operator/g" k8s/
-mv projects-operator-${VERSION}.tgz archive/projects-operator-${VERSION}.tgz
+tar -czf "projects-operator-${VERSION}.tgz" -C "projects-operator/deployments" --transform "s/k8s/projects-operator/g" "k8s/"
+mv "projects-operator-${VERSION}.tgz" "archive/projects-operator-${VERSION}.tgz"

ci/scripts/kapp-deploy.sh

@@ -1,15 +1,15 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
-export PATH="$PATH:/root/go/bin"
+export PATH="${PATH}:/root/go/bin"
 
 if [ -n "$KUBECONFIG_FILE_CONTENTS" ]; then
-    mkdir -p "$HOME/.kube"
-    echo "$KUBECONFIG_FILE_CONTENTS" > "$HOME/.kube/config"
+    mkdir -p "${HOME}/.kube"
+    echo "$KUBECONFIG_FILE_CONTENTS" > "${HOME}/.kube/config"
 fi
 
-mkdir -p $HOME/.docker
-DOCKER_AUTH=$(echo -n "$REGISTRY_USERNAME:$REGISTRY_PASSWORD" | base64 - | tr -d '\n')
-cat <<EOT > $HOME/.docker/config.json
+mkdir -p "${HOME}/.docker"
+DOCKER_AUTH=$(echo -n "${REGISTRY_USERNAME}:${REGISTRY_PASSWORD}" | base64 - | tr -d '\n')
+cat <<EOT > "${HOME}/.docker/config.json"
 {
   "auths": {
     "${REGISTRY_HOSTNAME}/${REGISTRY_PROJECT}": {

ci/tasks/bump-image-ref.yml

@@ -0,0 +1,29 @@
+platform: linux
+
+image_resource:
+  type: registry-image
+  source:
+    repository: ismteam/ci
+    tag: latest
+
+inputs:
+- name: projects-operator
+- name: projects-operator-image
+
+outputs:
+- name: projects-operator
+
+run:
+  path: /bin/bash
+  args:
+  - -euc
+  - |
+    DIGEST=$(cat projects-operator-image/digest)
+
+    pushd projects-operator
+      sed -i "s/projects-operator@.*/projects-operator@${DIGEST}/" deployments/k8s/values/images.yaml
+      git config user.email "pvtl-marketplace-demand+ci@vmware.com"
+      git config user.name "projects-operator-ci"
+      git add .
+      git commit -m "Bump projects-operator image digest"
+    popd

deployments/k8s/manifests/deployment.yaml

@@ -28,7 +28,7 @@ spec:
         - --upstream=http://127.0.0.1:8080/
         - --logtostderr=true
         - --v=10
-        image: #@ data.values.registry.hostname + '/' + data.values.registry.project + "/kube-rbac-proxy:v0.4.1"
+        image: #@ data.values.images.kubeRbacProxy
         name: kube-rbac-proxy
         ports:
         - containerPort: 8443
@@ -43,7 +43,7 @@ spec:
           value: #@ data.values.clusterRoleRef
         - name: MAX_CONCURRENT_RECONCILES
           value: #@ data.values.maxConcurrentReconciles
-        image: #@ data.values.registry.hostname + '/' + data.values.registry.project + "/projects-operator:" + data.values.version
+        image: #@ data.values.images.projectsOperator
         name: manager
         resources: #@ data.values.resources
       nodeSelector: #@ data.values.nodeSelector

deployments/k8s/manifests/webhook.yaml

@@ -52,7 +52,7 @@ spec:
       - name: #@ data.values.registry.secretName
       containers:
       - name: webhook
-        image: #@ data.values.registry.hostname + '/' + data.values.registry.project + "/projects-operator:" + data.values.version
+        image: #@ data.values.images.projectsOperator
         command:
         - /webhook
         env:

deployments/k8s/values.yaml → deployments/k8s/values/_default.yaml

@@ -12,6 +12,10 @@ registry:
   password:
   secretName: "registry-secret"
 
+images:
+  projectsOperator:
+  kubeRbacProxy:
+
 clusterRoleRef:
 
 maxConcurrentReconciles: "4"

deployments/k8s/values/images.yaml

@@ -0,0 +1,5 @@
+#@data/values
+---
+images:
+  projectsOperator: dev.registry.pivotal.io/developer-console/projects-operator@sha256:3ce47c158ece4a1d63d449e6152bfb848db7ae207c94ae2ef89748a46e1688c3
+  kubeRbacProxy: dev.registry.pivotal.io/developer-console/kube-rbac-proxy@sha256:fc13323a791c633939b2cb9277b2914cf998dc2575ce16b497fa62871a65b81a

scripts/kapp-delete

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+NAMESPACE="${NAMESPACE:-"projects-operator"}"
+
+kapp delete -y -a projects-operator -n "$NAMESPACE"

scripts/kapp-deploy

@@ -9,15 +9,16 @@ INSTANCE="${INSTANCE:?"please set the instance name of this deployment"}"
 NAMESPACE="${NAMESPACE:-"projects-operator"}"
 VERSION="${VERSION:-"latest"}"
 
-REGISTRY_HOSTNAME="${REGISTRY_HOSTNAME:?"please set the hostname of your registry"}"
-REGISTRY_PROJECT="${REGISTRY_PROJECT:?"please set the project of your registry"}"
+REGISTRY_HOSTNAME="${REGISTRY_HOSTNAME:-"dev.registry.pivotal.io"}"
+REGISTRY_PROJECT="${REGISTRY_PROJECT:-"developer-console"}"
 REGISTRY_USERNAME="${REGISTRY_USERNAME:?"please set the username of your registry"}"
 REGISTRY_PASSWORD="${REGISTRY_PASSWORD:?"please set the password of your registry"}"
 REGISTRY_SECRET_NAME="${REGISTRY_SECRET_NAME:-registry-secret}"
 
 CLUSTER_ROLE_REF="${CLUSTER_ROLE_REF:?"please set the cluster role ref"}"
 
-$DIR/generate-certs $NAME $INSTANCE $NAMESPACE
+export CI
+$DIR/generate-certs "$NAME" "$INSTANCE" "$NAMESPACE"
 
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
@@ -26,19 +27,33 @@ metadata:
   name: $NAMESPACE
 EOF
 
-ytt -f $DIR/../deployments/k8s \
-  -v name=$NAME \
-  -v instance=$INSTANCE \
-  -v namespace=$NAMESPACE \
-  -v version=$VERSION \
-  -v registry.hostname=$REGISTRY_HOSTNAME \
-  -v registry.project=$REGISTRY_PROJECT \
-  -v registry.username=$REGISTRY_USERNAME \
+LOCAL_YTT_FLAGS=""
+LOCAL_KBLD_FLAGS=""
+if [[ $# -eq 1 && "$1" =~ "--local" ]]; then
+  # use kbld to relocate the kube-rbac-proxy image to custom registry
+  kbld -f build/rbac-proxy-relocation.yaml |
+  kbld relocate \
+    --repository "$REGISTRY_HOSTNAME/$REGISTRY_PROJECT/kube-rbac-proxy" \
+    --lock-output build/rbac-proxy-relocation.lock.copied -f -
+  LOCAL_KBLD_FLAGS="-f ${DIR}/../build/rbac-proxy-relocation.lock.copied"
+
+  # use kbld to build, tag and push the cf-service-bridge image to the custom registry.
+  LOCAL_YTT_FLAGS="-f ${DIR}/../build/kbld.yaml"
+fi
+
+ytt -f "$DIR"/../deployments/k8s $LOCAL_YTT_FLAGS \
+  -v name="$NAME" \
+  -v instance="$INSTANCE" \
+  -v namespace="$NAMESPACE" \
+  -v version="$VERSION" \
+  -v registry.hostname="$REGISTRY_HOSTNAME" \
+  -v registry.project="$REGISTRY_PROJECT" \
+  -v registry.username="$REGISTRY_USERNAME" \
   -v registry.password="$REGISTRY_PASSWORD" \
-  -v registry.secretName=$REGISTRY_SECRET_NAME \
-  -v clusterRoleRef=$CLUSTER_ROLE_REF \
+  -v registry.secretName="$REGISTRY_SECRET_NAME" \
+  -v clusterRoleRef="$CLUSTER_ROLE_REF" \
   --data-value-file tls.cert=/tmp/webhook-server-tls.crt \
   --data-value-file tls.key=/tmp/webhook-server-tls.key \
   --data-value-file caCert=/tmp/ca.pem  | \
-kbld -f - | \
-kapp deploy -y -a projects-operator -n $NAMESPACE -f -
+kbld $LOCAL_KBLD_FLAGS -f - | \
+kapp deploy -y -a projects-operator -n "$NAMESPACE" -f -