From dabc2f1d9efb74822cb2d2167c26b123b1e87885 Mon Sep 17 00:00:00 2001 From: vRabbi Date: Thu, 10 Feb 2022 19:32:05 +0000 Subject: [PATCH] Release 0.2.1 --- CHANGELOG.md | 44 +++-- INSTALL_VALUES_EXPLANATION.md | 13 +- README.md | 42 ++++- .../go/pipeline.yaml | 157 +++++++++++++++++ .../java/README.md | 22 +++ .../java/rabbitmq.yaml | 7 + .../java/workload.yaml | 22 +++ .../java/README.md | 17 -- .../java/mysql.yaml | 73 -------- .../java/workload.yaml | 23 --- .../go/workload.yaml | 2 +- .../cert-injection-webhook/.imgpkg/images.yml | 18 ++ .../config/configmaps.yaml | 34 ++++ .../config/default_values.yaml | 14 ++ .../config/deployment.yaml | 124 ++++++++++++++ .../cert-injection-webhook/config/rbac.yaml | 89 ++++++++++ .../dev-ns-preperation/config/config.yaml | 161 ++++++++++++++++++ .../config/gitops-additions.yaml | 113 +++++++++++- .../config/cert-injection-webhook.yaml | 35 ++++ .../config/dev-ns-preperation.yaml | 2 +- ...alues.yaml => install_default_values.yaml} | 8 + .../config/ootb-supply-chains.yaml | 2 +- .../tap-install/config/service-bindings.yaml | 13 ++ .../tap-install/config/values-schema.yaml | 18 +- repo/.imgpkg/images.yml | 32 ++-- .../package-metadata.yaml | 16 ++ .../cert-injection-webhook/package.yaml | 53 ++++++ repo/packages/ootb-supply-chains/package.yaml | 12 +- repo/packages/tap-oss/package.yaml | 10 +- 29 files changed, 1010 insertions(+), 166 deletions(-) create mode 100644 example-workloads/ootb-basic-supply-chain-with-kaniko/go/pipeline.yaml create mode 100644 example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/README.md create mode 100644 example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/rabbitmq.yaml create mode 100644 example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/workload.yaml delete mode 100644 example-workloads/ootb-svc-binding-native-k8s-deployment/java/README.md delete mode 100644 example-workloads/ootb-svc-binding-native-k8s-deployment/java/mysql.yaml delete mode 100644 example-workloads/ootb-svc-binding-native-k8s-deployment/java/workload.yaml create mode 100644 packages/cert-injection-webhook/.imgpkg/images.yml create mode 100644 packages/cert-injection-webhook/config/configmaps.yaml create mode 100644 packages/cert-injection-webhook/config/default_values.yaml create mode 100644 packages/cert-injection-webhook/config/deployment.yaml create mode 100644 packages/cert-injection-webhook/config/rbac.yaml create mode 100644 packages/tap-install/config/cert-injection-webhook.yaml rename packages/tap-install/config/{default_values.yaml => install_default_values.yaml} (88%) create mode 100644 repo/packages/cert-injection-webhook/package-metadata.yaml create mode 100644 repo/packages/cert-injection-webhook/package.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index e1f3fdd..a65b896 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,32 +1,40 @@ # CHANGE LOG FOR THIS REPO +## 0.2.1 +* Added Gitops supply chain with service bindings using the service claims struct of the workload yaml +* Added workload example for binding to a rabbitMQ cluster +* Fixed issue in gitops git-writer task where it failed if the folder already existed in git +* Fixed Service bindings RBAC to allow work with RabbitMQ (OSS and Tanzu) and Tanzu PostgreSQL operator based objects +* Added Cert Injection Webhook Package +* Validated support for running on EKS, kind and minikube + ## 0.2.0 -* Add Service Bindings Package -* Add Service Bindings for MySQL example workload -* Add Service Bindings Supply Chain example -* Make all package optional (opt out mechanism added) -* Make OOTB Supply chains optional (opt out mechanism added) -* Added Kaniko based example workload -* Standardized the labels for workloads and supply chains -* Added additional docs for getting started -* Enhanced experience for deployment on a Local Docker based environment -* Added script to get the status of the platform +* Add Service Bindings Package +* Add Service Bindings for MySQL example workload +* Add Service Bindings Supply Chain example +* Make all package optional (opt out mechanism added) +* Make OOTB Supply chains optional (opt out mechanism added) +* Added Kaniko based example workload +* Standardized the labels for workloads and supply chains +* Added additional docs for getting started +* Enhanced experience for deployment on a Local Docker based environment +* Added script to get the status of the platform ## 0.1.5 -* Add kaniko base supply chain for building images -* add workload examples for building images with Kaniko instead of Kpack +* Add kaniko base supply chain for building images +* add workload examples for building images with Kaniko instead of Kpack ## 0.1.4 -* Fix issue with knative to local docker TCE clusters +* Fix issue with knative to local docker TCE clusters ## 0.1.3 -* Tech Debt cleanup +* Tech Debt cleanup ## 0.1.2 -* Add support for setting Contour to use a ClusterIP for local clusters +* Add support for setting Contour to use a ClusterIP for local clusters ## 0.1.1 -* Fix issue with openapiv3 schema for meta package -* Add example workloads for utilization with the supply chains +* Fix issue with openapiv3 schema for meta package +* Add example workloads for utilization with the supply chains ## 0.1.0 -Initial Release +Initial Release diff --git a/INSTALL_VALUES_EXPLANATION.md b/INSTALL_VALUES_EXPLANATION.md index f37aed6..721f0a6 100644 --- a/INSTALL_VALUES_EXPLANATION.md +++ b/INSTALL_VALUES_EXPLANATION.md @@ -29,6 +29,16 @@ kpack_config: builder: tag: # The full path where you want the builder created in your registry ``` +## CERT INJECTION WEBHOOK +This is needed to support self signed registries or source control systems with kpack. This allows us to configure proxy and CA values to be injected into kpack build pods automatically via a mutating webhook +The Supported values are: +``` +cert_injection_webhook: + ca_cert_data: # BASE64 encoded CA cert data to inject into the Pods + http_proxy: # HTTP Proxy ENV Variable value to inject into the build pods + https_proxy: # HTTPS Proxy ENV Variable value to inject into the build pods + no_proxy: # NO Proxy ENV Variable value to inject into the build pods +``` ## KNATIVE The configuration options are the same as the TCE Package. @@ -65,7 +75,7 @@ This package will install 1 to 3 supply chains to help you getting started with The required values are: ``` ootb_supply_chains: - disable_specific_supply_chains: # Array of supply chains to not install. options are: ootb-basic-supply-chain, ootb-gitops-supply-chain, ootb-basic-supply-chain-with-kaniko, and ootb-testing-supply-chain + disable_specific_supply_chains: # Array of supply chains to not install. options are: ootb-basic-supply-chain, ootb-gitops-supply-chain, ootb-basic-supply-chain-with-kaniko, ootb-testing-supply-chain and ootb-gitops-supply-chain-with-svc-bindings image_prefix: # Prefix for image creation path. the workload name will be added as the suffix. should be in the format of // or // gitops: configure: # boolean value of true or false. if set to true, a gitops supply chain will be created. this requires additional inputs which are found in the gitops.git_writer section bellow. @@ -102,3 +112,4 @@ The supported values for this array are: * **ootb-supply-chains.tap.oss** - Gives an easy way to get started by exposing different supply chains to get you started. if disabled, you will need to manually create a supply chain before you can deploy a workload. * **tekton.tap.oss** - Used in all but 1 OOTB supply chain. should be disabled only if you have pre installed tekton * **service-bindings.tap.oss** - Used in 1 OOTB supply chain currently. if you disable this package, binding to backend services will be very complex. +* **cert-injection-webhook.tap.oss** - Used in kpack. if you disable this package, you cannot build images with source from a self signed source or push to a registry with self signed certs. diff --git a/README.md b/README.md index 19022b8..5c9849f 100644 --- a/README.md +++ b/README.md @@ -16,14 +16,37 @@ This package repository includes the following packages: 5. **kpack-config.tap.oss** - A package with configuration to setup kpack with Paketo buildpacks 6. **ootb-supply-chains.tap.oss** - A package that includes Supply chains for use in the cluster 7. **tekton.tap.oss** - A package to install Tekton to run pipelines within our supply chains -8. **kpack.tap.oss** - This is the TCE Kpack package simply in the same repo to not have a requirement to install the TCE repo as well -9. **knative-serving.tap.oss** - This is the TCE Knative Serving package simply in the same repo to not have a requirement to install the TCE repo as well -10. **cert-manager.tap.oss** - This is the TCE Cert Manager package simply in the same repo to not have a requirement to install the TCE repo as well -11. **contour.tap.oss** - This is the TCE Contour package simply in the same repo to not have a requirement to install the TCE repo as well -12. **service-bindings.tap.oss** - This is a package that allows simple binding of workloads to backend service using the service bindings project +8. **service-bindings.tap.oss** - This is a package that allows simple binding of workloads to backend service using the service bindings project +9. **cert-injection-webhook.tap.oss** - This is a package that allows injection via webhook of CA certs into pods (used primarily for Kpack) to suppot registries and source control systems with self signed certs +10. **kpack.tap.oss** - This is the TCE Kpack package simply in the same repo to not have a requirement to install the TCE repo as well +11. **knative-serving.tap.oss** - This is the TCE Knative Serving package simply in the same repo to not have a requirement to install the TCE repo as well +12. **cert-manager.tap.oss** - This is the TCE Cert Manager package simply in the same repo to not have a requirement to install the TCE repo as well +13. **contour.tap.oss** - This is the TCE Contour package simply in the same repo to not have a requirement to install the TCE repo as well + +## Installation instructions +### TCE and TKGm 1.4+ users can skip to step 3 right away +If you are not running on a TKGm 1.4+ or TCE 0.9.1+ cluster, you must install the Tanzu CLI on your machine and install Kapp Controller in your cluster. +1. Install Tanzu CLI - [Full instructions on TCE website](https://tanzucommunityedition.io/docs/latest/cli-installation/) +* Linux +```bash +curl -H "Accept: application/vnd.github.v3.raw" \ + -L https://api.github.com/repos/vmware-tanzu/community-edition/contents/hack/get-tce-release.sh | \ + bash -s v0.9.1 linux +``` +* Mac +```bash +brew install vmware-tanzu/tanzu/tanzu-community-edition +``` +* Windows +```bash +choco install tanzu-community-edition +``` +2. Install Kapp Controller +```bash +kubectl apply -f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml +``` -## Installation instructions on TCE and TKGm -#### NOTE: Should work on any Kubernetes platform but has not been tested on other platforms yet and would require installing kapp controller first +#### NOTE: Should work on any Kubernetes platform but has not been tested on all major platforms yet. if you have any issue with use on different platforms please open an issue 1. Create the TAP OSS namespace ```bash kubectl create namespace tap-oss @@ -46,6 +69,11 @@ kpack: kpack_config: builder: tag: +cert_injection_webhook: + ca_cert_data: + http_proxy: + https_proxy: + no_proxy: knative: domain: name: diff --git a/example-workloads/ootb-basic-supply-chain-with-kaniko/go/pipeline.yaml b/example-workloads/ootb-basic-supply-chain-with-kaniko/go/pipeline.yaml new file mode 100644 index 0000000..52e1125 --- /dev/null +++ b/example-workloads/ootb-basic-supply-chain-with-kaniko/go/pipeline.yaml @@ -0,0 +1,157 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kaniko +spec: + params: + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [] + - name: BUILDER_IMAGE + description: The image on which builds will run (default is v1.5.1) + default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5 + workspaces: + - name: source + description: Holds the context and docker file + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE-DIGEST + description: Digest of the image just built. + steps: + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS[*]) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) + - --destination=$(params.IMAGE) + - --digest-file=/tekton/results/IMAGE-DIGEST + securityContext: + runAsUser: 0 +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kaniko-source +spec: + params: + - name: blob-url + type: string + - name: blob-revision + type: string + steps: + - command: + - bash + - -cxe + - |- + set -o pipefail + echo $(params.blob-revision) + cd $(workspaces.output.path) + curl -SL $(params.blob-url) | tar xvzf - + image: ghcr.io/vrabbi/golang:latest + name: extract-source + resources: {} + workspaces: + - name: output +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: export-image-ref +spec: + params: + - name: image-url + type: string + - name: image-digest + type: string + steps: + - command: + - bash + - -cxe + - |- + set -o pipefail + echo $(params.image-url)@$(params.image-digest) | tr -d '\n' | tee $(results.imageRef.path) + image: ghcr.io/vrabbi/golang:latest + name: extract-source + resources: {} + workspaces: + - name: output + results: + - name: imageRef + description: The Image Ref to be used by TAP for future supply chain steps +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + annotations: + name: kaniko-runner +spec: + params: + - description: Flux GitRepository URL source + name: source-url + type: string + - description: Flux GitRepository Revision + name: source-revision + type: string + - description: Image path to be pushed to + name: image_url + type: string + results: + - description: "" + name: imageRef + value: $(tasks.export-image-ref.results.imageRef) + tasks: + - name: unpack-source + params: + - name: blob-url + value: $(params.source-url) + - name: blob-revision + value: $(params.source-revision) + taskRef: + kind: Task + name: kaniko-source + workspaces: + - name: output + workspace: source-ws + - name: kaniko + params: + - name: IMAGE + value: $(params.image_url) + runAfter: + - unpack-source + taskRef: + kind: Task + name: kaniko + workspaces: + - name: source + workspace: source-ws + - name: export-image-ref + params: + - name: image-url + value: $(params.image_url) + - name: image-digest + value: $(tasks.kaniko.results.IMAGE-DIGEST) + runAfter: + - kaniko + taskRef: + kind: Task + name: export-image-ref + workspaces: + - name: output + workspace: source-ws + workspaces: + - name: source-ws + - name: dockerconfig + optional: true diff --git a/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/README.md b/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/README.md new file mode 100644 index 0000000..8a07832 --- /dev/null +++ b/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/README.md @@ -0,0 +1,22 @@ +# Usage +This example uses the rabbitmq cluster operator and the service binding controller to bind an application to your workload. +This is implemented in a gitops workflow as this is an optimal way to handle backend service bindings when deploying to multiple clusters. +While we are doing this in the same cluster in this example the gitops approach is being used to show that this is possible and is a very powerfull approach for workload management. +# Pre Reqs +1. Install the rabbitMQ Cluster Operator: +```bash +kubectl apply -f https://github.com/rabbitmq/cluster-operator/releases/latest/download/cluster-operator.yml +``` +2. Create a rabbitMQ cluster using the manifest in this repo +```bash +kubectl apply -f rabbitmq.yaml +``` + +# Installation +1. Deploy the workload +```bash +kubectl apply -f workload.yaml +``` +2. when the workload is complete the generated YAML will be uploaded to your configured git repo +3. Download the file and apply it to your cluster +4. Watch the magic happen! diff --git a/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/rabbitmq.yaml b/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/rabbitmq.yaml new file mode 100644 index 0000000..974e093 --- /dev/null +++ b/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/rabbitmq.yaml @@ -0,0 +1,7 @@ +apiVersion: rabbitmq.com/v1beta1 +kind: RabbitmqCluster +metadata: + name: rabbitmqcluster-sample +spec: + service: + type: LoadBalancer diff --git a/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/workload.yaml b/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/workload.yaml new file mode 100644 index 0000000..9cb4781 --- /dev/null +++ b/example-workloads/ootb-gitops-supply-chain-with-svc-bindings/java/workload.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: carto.run/v1alpha1 +kind: Workload +metadata: + labels: + apps.tanzu.vmware.com/gitops: "true" + apps.tanzu.vmware.com/has-bindings: "true" + apps.tanzu.vmware.com/workload-type: "web" + name: sensors + namespace: default +spec: + serviceClaims: + - name: rmq + ref: + apiVersion: rabbitmq.com/v1beta1 + kind: RabbitmqCluster + name: rabbitmqcluster-sample + source: + git: + ref: + branch: v0.2.0 + url: https://github.com/jhvhs/rabbitmq-sample diff --git a/example-workloads/ootb-svc-binding-native-k8s-deployment/java/README.md b/example-workloads/ootb-svc-binding-native-k8s-deployment/java/README.md deleted file mode 100644 index 2746034..0000000 --- a/example-workloads/ootb-svc-binding-native-k8s-deployment/java/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Using Service Bindings with workloads - -## Preperation -This example uses native k8s deployment, service and ingress objects and as such requires us to add a few additional parameters to our workload yaml that with knative we would not need: -1. containerPort - this is set to 8080 in the example and is configured to work that way. if your app is on a different port change it in the workload.yaml file -2. ingressDomain - we will be creating an ingress and as we dont have the default config settings like in knative, we must supply the suffix of the domain our ingress we point to. - -As we are binding to an existing data service, we need to apply the mysql.yaml in the cluster before deploying our workload: -```bash -kubectl apply -f mysql.yaml -``` - -## Deployment -Just like any other workload we can install our app via a single command: -```bash -kubectl apply -f workload.yaml -``` diff --git a/example-workloads/ootb-svc-binding-native-k8s-deployment/java/mysql.yaml b/example-workloads/ootb-svc-binding-native-k8s-deployment/java/mysql.yaml deleted file mode 100644 index 9bf7bff..0000000 --- a/example-workloads/ootb-svc-binding-native-k8s-deployment/java/mysql.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: spring-petclinic-db -type: servicebinding.io/mysql -stringData: - type: mysql - provider: mariadb - host: spring-petclinic-db - port: "3306" - database: default - username: user - password: pass ---- -apiVersion: v1 -kind: Service -metadata: - name: spring-petclinic-db -spec: - ports: - - port: 3306 - selector: - app: spring-petclinic-db ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: spring-petclinic-db - labels: - app: spring-petclinic-db -spec: - selector: - matchLabels: - app: spring-petclinic-db - template: - metadata: - labels: - app: spring-petclinic-db - spec: - containers: - - image: mariadb:10.5 - name: mysql - env: - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: spring-petclinic-db - key: username - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: spring-petclinic-db - key: password - - name: MYSQL_DATABASE - valueFrom: - secretKeyRef: - name: spring-petclinic-db - key: database - - name: MYSQL_ROOT_PASSWORD - value: root - ports: - - containerPort: 3306 - name: mysql - livenessProbe: - tcpSocket: - port: mysql - readinessProbe: - tcpSocket: - port: mysql - startupProbe: - tcpSocket: - port: mysql diff --git a/example-workloads/ootb-svc-binding-native-k8s-deployment/java/workload.yaml b/example-workloads/ootb-svc-binding-native-k8s-deployment/java/workload.yaml deleted file mode 100644 index 2023813..0000000 --- a/example-workloads/ootb-svc-binding-native-k8s-deployment/java/workload.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: carto.run/v1alpha1 -kind: Workload -metadata: - name: petclinic-demo-app - labels: - apps.tanzu.vmware.com/workload-type: web - apps.tanzu.vmware.com/has-db-binding: "true" - apps.tanzu.vmware.com/native-k8s-deployment: "true" -spec: - serviceAccountName: default - env: - - name: SPRING_PROFILES_ACTIVE - value: mysql - params: - - name: containerPort - value: 8080 - - name: ingressDomain - value: eks.vrabbi.cloud - source: - git: - url: https://github.com/vrabbi/scott-petclinic - ref: - branch: master diff --git a/example-workloads/ootb-testing-supply-chain/go/workload.yaml b/example-workloads/ootb-testing-supply-chain/go/workload.yaml index 82f2612..3af5002 100644 --- a/example-workloads/ootb-testing-supply-chain/go/workload.yaml +++ b/example-workloads/ootb-testing-supply-chain/go/workload.yaml @@ -1,7 +1,7 @@ apiVersion: carto.run/v1alpha1 kind: Workload metadata: - name: go-demo-app + name: go-demo-app-tested labels: apps.tanzu.vmware.com/workload-type: web apps.tanzu.vmware.com/has-tests: "true" diff --git a/packages/cert-injection-webhook/.imgpkg/images.yml b/packages/cert-injection-webhook/.imgpkg/images.yml new file mode 100644 index 0000000..73f2c39 --- /dev/null +++ b/packages/cert-injection-webhook/.imgpkg/images.yml @@ -0,0 +1,18 @@ +--- +apiVersion: imgpkg.carvel.dev/v1alpha1 +images: +- annotations: + kbld.carvel.dev/id: ghcr.io/vrabbi/cert-injector-webhook:0.1.0 + kbld.carvel.dev/origins: | + - resolved: + tag: 0.1.0 + url: ghcr.io/vrabbi/cert-injector-webhook:0.1.0 + image: ghcr.io/vrabbi/cert-injector-webhook@sha256:5f81a89db6d41883be79e67d73ff41207427256afa0f3a02456dc17507eb598f +- annotations: + kbld.carvel.dev/id: ghcr.io/vrabbi/setup-ca-certs:0.1.0 + kbld.carvel.dev/origins: | + - resolved: + tag: 0.1.0 + url: ghcr.io/vrabbi/setup-ca-certs:0.1.0 + image: ghcr.io/vrabbi/setup-ca-certs@sha256:b97f7203c09c652ba9e2065fd98574ac971de8ddb309a6cc37dd1220c3c84912 +kind: ImagesLock diff --git a/packages/cert-injection-webhook/config/configmaps.yaml b/packages/cert-injection-webhook/config/configmaps.yaml new file mode 100644 index 0000000..eb760a2 --- /dev/null +++ b/packages/cert-injection-webhook/config/configmaps.yaml @@ -0,0 +1,34 @@ +#@ load("@ytt:data", "data") +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ca-cert + namespace: cert-injection-webhook +data: + ca.crt: #@ data.values.ca_cert_data if data.values.ca_cert_data else "" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: http-proxy + namespace: cert-injection-webhook +data: + value: #@ data.values.http_proxy if data.values.http_proxy else "" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: https-proxy + namespace: cert-injection-webhook +data: + value: #@ data.values.https_proxy if data.values.https_proxy else "" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: no-proxy + namespace: cert-injection-webhook +data: + value: #@ data.values.no_proxy if data.values.no_proxy else "" +--- diff --git a/packages/cert-injection-webhook/config/default_values.yaml b/packages/cert-injection-webhook/config/default_values.yaml new file mode 100644 index 0000000..054799e --- /dev/null +++ b/packages/cert-injection-webhook/config/default_values.yaml @@ -0,0 +1,14 @@ +#@data/values-schema +--- +pod_webhook_image: ghcr.io/vrabbi/cert-injector-webhook:0.1.0 +setup_ca_certs_image: ghcr.io/vrabbi/setup-ca-certs:0.1.0 + +labels: + - "kpack.io/build" +annotations: +- "" + +ca_cert_data: "" +http_proxy: "" +https_proxy: "" +no_proxy: "" diff --git a/packages/cert-injection-webhook/config/deployment.yaml b/packages/cert-injection-webhook/config/deployment.yaml new file mode 100644 index 0000000..6f5e2f6 --- /dev/null +++ b/packages/cert-injection-webhook/config/deployment.yaml @@ -0,0 +1,124 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:assert", "assert") +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: setup-ca-certs-image + namespace: cert-injection-webhook +data: + image: #@ data.values.setup_ca_certs_image or assert.fail("missing setup_ca_certs_image") +--- +apiVersion: v1 +kind: Secret +metadata: + name: cert-injection-webhook-tls + namespace: cert-injection-webhook +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-injection-webhook + namespace: cert-injection-webhook + labels: + app: cert-injection-webhook +spec: + replicas: 1 + selector: + matchLabels: + app: cert-injection-webhook + template: + metadata: + labels: + app: cert-injection-webhook + spec: + serviceAccountName: cert-injection-webhook-sa + containers: + - name: server + image: #@ data.values.pod_webhook_image or assert.fail("missing pod_webhook_image") + imagePullPolicy: Always + args: + #@ for label in data.values.labels: + - #@ "-label={}".format(label) + #@ end + #@ for annotation in data.values.annotations: + - #@ "-annotation={}".format(annotation) + #@ end + volumeMounts: + - name: webhook-ca-cert + mountPath: /run/config_maps/ca_cert + readOnly: true + ports: + - containerPort: 8443 + name: webhook-port + env: + - name: HTTP_PROXY + valueFrom: + configMapKeyRef: + name: http-proxy + key: value + - name: HTTPS_PROXY + valueFrom: + configMapKeyRef: + name: https-proxy + key: value + - name: NO_PROXY + valueFrom: + configMapKeyRef: + name: no-proxy + key: value + - name: SETUP_CA_CERTS_IMAGE + valueFrom: + configMapKeyRef: + name: setup-ca-certs-image + key: image + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: webhook-ca-cert + configMap: + name: ca-cert +--- +apiVersion: v1 +kind: Service +metadata: + name: cert-injection-webhook + namespace: cert-injection-webhook +spec: + selector: + app: cert-injection-webhook + ports: + - port: 443 + targetPort: webhook-port +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: defaults.webhook.cert-injection.tanzu.vmware.com +webhooks: + - name: defaults.webhook.cert-injection.tanzu.vmware.com + admissionReviewVersions: + - v1 + clientConfig: + service: + name: cert-injection-webhook + namespace: cert-injection-webhook + path: /podwebhook + port: 443 + failurePolicy: Ignore + matchPolicy: Exact + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-injection-webhook-sa + namespace: cert-injection-webhook diff --git a/packages/cert-injection-webhook/config/rbac.yaml b/packages/cert-injection-webhook/config/rbac.yaml new file mode 100644 index 0000000..f25fd7c --- /dev/null +++ b/packages/cert-injection-webhook/config/rbac.yaml @@ -0,0 +1,89 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-injection-webhook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-injection-webhook-role + namespace: cert-injection-webhook +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - cert-injection-webhook-tls + verbs: + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cert-injection-webhook-role-binding + namespace: cert-injection-webhook + annotations: + kapp.k14s.io/update-strategy: fallback-on-replace +subjects: +- kind: ServiceAccount + name: cert-injection-webhook-sa + namespace: cert-injection-webhook +roleRef: + kind: Role + name: cert-injection-webhook-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-injection-webhook-cluster-role +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - defaults.webhook.cert-injection.tanzu.vmware.com + verbs: + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-injection-webhook-cluster-role-binding + annotations: + kapp.k14s.io/update-strategy: fallback-on-replace +subjects: +- kind: ServiceAccount + name: cert-injection-webhook-sa + namespace: cert-injection-webhook +roleRef: + kind: ClusterRole + name: cert-injection-webhook-cluster-role + apiGroup: rbac.authorization.k8s.io diff --git a/packages/dev-ns-preperation/config/config.yaml b/packages/dev-ns-preperation/config/config.yaml index 38172d3..ab845f8 100644 --- a/packages/dev-ns-preperation/config/config.yaml +++ b/packages/dev-ns-preperation/config/config.yaml @@ -281,4 +281,165 @@ roleRef: subjects: - kind: ServiceAccount name: default +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kaniko + namespace: #@ ns.name +spec: + params: + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [] + - name: BUILDER_IMAGE + description: The image on which builds will run (default is v1.5.1) + default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5 + workspaces: + - name: source + description: Holds the context and docker file + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE-DIGEST + description: Digest of the image just built. + steps: + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS[*]) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) + - --destination=$(params.IMAGE) + - --digest-file=/tekton/results/IMAGE-DIGEST + securityContext: + runAsUser: 0 +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kaniko-source + namespace: #@ ns.name +spec: + params: + - name: blob-url + type: string + - name: blob-revision + type: string + steps: + - command: + - bash + - -cxe + - |- + set -o pipefail + echo $(params.blob-revision) + cd $(workspaces.output.path) + curl -SL $(params.blob-url) | tar xvzf - + image: ghcr.io/vrabbi/golang:latest + name: extract-source + resources: {} + workspaces: + - name: output +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: export-image-ref + namespace: #@ ns.name +spec: + params: + - name: image-url + type: string + - name: image-digest + type: string + steps: + - command: + - bash + - -cxe + - |- + set -o pipefail + echo $(params.image-url)@$(params.image-digest) | tr -d '\n' | tee $(results.imageRef.path) + image: ghcr.io/vrabbi/golang:latest + name: extract-source + resources: {} + workspaces: + - name: output + results: + - name: imageRef + description: The Image Ref to be used by TAP for future supply chain steps +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: kaniko-runner + namespace: #@ ns.name +spec: + params: + - description: Flux GitRepository URL source + name: source-url + type: string + - description: Flux GitRepository Revision + name: source-revision + type: string + - description: Image path to be pushed to + name: image_url + type: string + results: + - description: "" + name: imageRef + value: $(tasks.export-image-ref.results.imageRef) + tasks: + - name: unpack-source + params: + - name: blob-url + value: $(params.source-url) + - name: blob-revision + value: $(params.source-revision) + taskRef: + kind: Task + name: kaniko-source + workspaces: + - name: output + workspace: source-ws + - name: kaniko + params: + - name: IMAGE + value: $(params.image_url) + runAfter: + - unpack-source + taskRef: + kind: Task + name: kaniko + workspaces: + - name: source + workspace: source-ws + - name: export-image-ref + params: + - name: image-url + value: $(params.image_url) + - name: image-digest + value: $(tasks.kaniko.results.IMAGE-DIGEST) + runAfter: + - kaniko + taskRef: + kind: Task + name: export-image-ref + workspaces: + - name: output + workspace: source-ws + workspaces: + - name: source-ws + - name: dockerconfig + optional: true #@ end diff --git a/packages/ootb-supply-chains/config/gitops-additions.yaml b/packages/ootb-supply-chains/config/gitops-additions.yaml index 6dd73d6..380bf34 100644 --- a/packages/ootb-supply-chains/config/gitops-additions.yaml +++ b/packages/ootb-supply-chains/config/gitops-additions.yaml @@ -236,7 +236,7 @@ spec: export CONFIG_MAP_FIELD=$(runnable.spec.inputs.input_config_map_field)$ export WORKLOAD_NAME=$(runnable.spec.inputs.input_config_map_name)$ export DATA="$(runnable.spec.inputs.data)$" - mkdir $WORKLOAD_NAME + mkdir -p $WORKLOAD_NAME echo "$DATA" | tee "$WORKLOAD_NAME/$CONFIG_MAP_FIELD" git add . git commit --allow-empty -m "[$WORKLOAD_NAME] - $COMMIT_MESSAGE" @@ -328,6 +328,117 @@ spec: - resource: config-provider name: data #@ end +#@ install = True +#@ for i in data.values.disable_specific_supply_chains: +#@ if i == "ootb-gitops-supply-chain-with-svc-bindings": +#@ install = False +#@ end +#@ end +#@ if install == True: +--- +apiVersion: carto.run/v1alpha1 +kind: ClusterConfigTemplate +metadata: + name: config-template-with-svc-bindings +spec: + configPath: .data.manifest + ytt: | + #@ load("@ytt:data", "data") + #@ load("@ytt:yaml", "yaml") + #@ if hasattr(data.values.workload.spec, "serviceClaims"): + #@ def claims(): + --- + apiVersion: servicebinding.io/v1alpha3 + kind: ServiceBinding + metadata: + name: #@ data.values.workload.metadata.name + '-' + data.values.workload.spec.serviceClaims[0].name + spec: + service: + apiVersion: #@ data.values.workload.spec.serviceClaims[0].ref.apiVersion + kind: #@ data.values.workload.spec.serviceClaims[0].ref.kind + name: #@ data.values.workload.spec.serviceClaims[0].ref.name + workload: + apiVersion: serving.knative.dev/v1 + kind: Service + name: #@ data.values.workload.metadata.name + #@ end + #@ end + #@ def service(): + --- + apiVersion: serving.knative.dev/v1 + kind: Service + metadata: + name: #@ data.values.workload.metadata.name + labels: + #@ if hasattr(data.values.workload.metadata, "labels"): + #@ if hasattr(data.values.workload.metadata.labels, "app.kubernetes.io/part-of"): + app.kubernetes.io/part-of: #@ data.values.workload.metadata.labels["app.kubernetes.io/part-of"] + #@ end + #@ end + carto.run/workload-name: #@ data.values.workload.metadata.name + app.kubernetes.io/component: run + spec: + template: + spec: + containers: + - name: workload + image: #@ data.values.image + securityContext: + runAsUser: 1000 + imagePullSecrets: + - name: registry-credentials + #@ end + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: #@ data.values.workload.metadata.name + data: + #@ if hasattr(data.values.workload.spec, "serviceClaims"): + manifest: #@ yaml.encode(claims()) + "---\n" + yaml.encode(service()) + #@ else: + manifest: #@ yaml.encode(service()) + #@ end +--- +apiVersion: carto.run/v1alpha1 +kind: ClusterSupplyChain +metadata: + name: ootb-gitops-supply-chain-with-svc-bindings +spec: + resources: + - name: source-provider + templateRef: + kind: ClusterSourceTemplate + name: source + - name: image-builder + params: + - name: image_prefix + value: #@ data.values.image_prefix + sources: + - name: source + resource: source-provider + templateRef: + kind: ClusterImageTemplate + name: image + - images: + - name: image + resource: image-builder + name: config-provider + templateRef: + kind: ClusterConfigTemplate + name: config-template-with-svc-bindings + - configs: + - name: data + resource: config-provider + name: git-writer + templateRef: + kind: ClusterTemplate + name: git-writer + selector: + apps.tanzu.vmware.com/gitops: "true" + apps.tanzu.vmware.com/has-bindings: "true" + apps.tanzu.vmware.com/workload-type: web +#@ end #@ end #@ end #@ end diff --git a/packages/tap-install/config/cert-injection-webhook.yaml b/packages/tap-install/config/cert-injection-webhook.yaml new file mode 100644 index 0000000..dfd4594 --- /dev/null +++ b/packages/tap-install/config/cert-injection-webhook.yaml @@ -0,0 +1,35 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:yaml", "yaml") +#@ install = True +#@ for i in data.values.disabled_packages: +#@ if i == "cert-injection-webhook.tap.oss": +#@ install = False +#@ end +#@ end +#@ if install == True: +--- +apiVersion: packaging.carvel.dev/v1alpha1 +kind: PackageInstall +metadata: + name: cert-injection-webhook + namespace: tap-oss + annotations: + kapp.k14s.io/change-rule.serviceaccount: "delete before deleting serviceaccount" +spec: + serviceAccountName: tap-oss-install-sa + packageRef: + refName: cert-injection-webhook.tap.oss + versionSelection: + constraints: 0.1.0 + values: + - secretRef: + name: cert-injection-webhook-values +--- +apiVersion: v1 +kind: Secret +metadata: + name: cert-injection-webhook-values + namespace: tap-oss +stringData: + values.yaml: #@ yaml.encode(data.values.cert_injection_webhook) +#@ end diff --git a/packages/tap-install/config/dev-ns-preperation.yaml b/packages/tap-install/config/dev-ns-preperation.yaml index d914651..f5737c9 100644 --- a/packages/tap-install/config/dev-ns-preperation.yaml +++ b/packages/tap-install/config/dev-ns-preperation.yaml @@ -22,7 +22,7 @@ spec: packageRef: refName: dev-ns-preperation.tap.oss versionSelection: - constraints: 0.2.0 + constraints: 0.2.1 values: - secretRef: name: dev-ns-preperation-values diff --git a/packages/tap-install/config/default_values.yaml b/packages/tap-install/config/install_default_values.yaml similarity index 88% rename from packages/tap-install/config/default_values.yaml rename to packages/tap-install/config/install_default_values.yaml index f2d62e8..0047e26 100644 --- a/packages/tap-install/config/default_values.yaml +++ b/packages/tap-install/config/install_default_values.yaml @@ -5,6 +5,14 @@ contour: envoy: service: type: LoadBalancer +cert_injection_webhook: + labels: + - "kpack.io/build" + annotations: [] + ca_cert_data: "" + http_proxy: "" + https_proxy: "" + no_proxy: "" kpack: kp_default_repository: "harbor.tap.oss" kp_default_repository_password: "Harbor12345" diff --git a/packages/tap-install/config/ootb-supply-chains.yaml b/packages/tap-install/config/ootb-supply-chains.yaml index c16bd73..1aa6dac 100644 --- a/packages/tap-install/config/ootb-supply-chains.yaml +++ b/packages/tap-install/config/ootb-supply-chains.yaml @@ -21,7 +21,7 @@ spec: packageRef: refName: ootb-supply-chains.tap.oss versionSelection: - constraints: 0.2.0 + constraints: 0.2.1 values: - secretRef: name: ootb-supply-chains-values diff --git a/packages/tap-install/config/service-bindings.yaml b/packages/tap-install/config/service-bindings.yaml index 161192d..d3a08b1 100644 --- a/packages/tap-install/config/service-bindings.yaml +++ b/packages/tap-install/config/service-bindings.yaml @@ -21,4 +21,17 @@ spec: refName: service-bindings.tap.oss versionSelection: constraints: 0.6.0 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: service-bindings-ctrl-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: controller + namespace: service-bindings #@ end diff --git a/packages/tap-install/config/values-schema.yaml b/packages/tap-install/config/values-schema.yaml index b256e3e..fa95cd4 100644 --- a/packages/tap-install/config/values-schema.yaml +++ b/packages/tap-install/config/values-schema.yaml @@ -1,6 +1,6 @@ #@data/values-schema --- -#@schema/desc "Array of packages to disable installation of. +#@schema/desc "Array of packages to disable installation of." disabled_packages: - "" #@schema/desc "TCE Contour package configuration" @@ -9,6 +9,22 @@ contour: service: #@schema/desc "Service type for Envoy - Set to ClusterIP for local clusters. defaults to LoadBalancer" type: LoadBalancer +#@schema/desc "Package Configuration for Cert Injection Webhook" +cert_injection_webhook: + #@schema/desc "Pod labels to trigger CA Cert injection" + labels: + - "kpack.io/build" + #@schema/desc "Pod Annotations to trigger CA Cert injection" + annotations: + - "" + #@schema/desc "Base64 encoded CA Cert data to inject into pods" + ca_cert_data: "" + #@schema/desc "HTTP Proxy ENV Variable value to inject into Pods" + http_proxy: "" + #@schema/desc "HTTPS Proxy ENV Variable value to inject into Pods" + https_proxy: "" + #@schema/desc "No Proxy ENV Variable value to inject into Pods" + no_proxy: "" #@schema/desc "TCE Kpack package configuration" kpack: #@schema/desc "Default repo for kpack resources and images" diff --git a/repo/.imgpkg/images.yml b/repo/.imgpkg/images.yml index e2df880..848b4cf 100644 --- a/repo/.imgpkg/images.yml +++ b/repo/.imgpkg/images.yml @@ -9,12 +9,19 @@ images: url: ghcr.io/vrabbi/cartographer-package:0.2.1 image: ghcr.io/vrabbi/cartographer-package@sha256:d2c94525e9ab44ee50b5a0e187dc7006a6d7229872f7fd16e6dc07b2b3603ed7 - annotations: - kbld.carvel.dev/id: ghcr.io/vrabbi/dev-ns-preperation-package:0.1.0 + kbld.carvel.dev/id: ghcr.io/vrabbi/cert-injection-webhook-package:0.1.0 kbld.carvel.dev/origins: | - resolved: tag: 0.1.0 - url: ghcr.io/vrabbi/dev-ns-preperation-package:0.1.0 - image: ghcr.io/vrabbi/dev-ns-preperation-package@sha256:572a1968ce344e2b4792c61caabec6a41b0a0249d15ae57ac2702ebe10263fef + url: ghcr.io/vrabbi/cert-injection-webhook-package:0.1.0 + image: ghcr.io/vrabbi/cert-injection-webhook-package@sha256:bee3470f023215c791d944c19608f02cd0b724119e5fa8e08048b45ec68518e8 +- annotations: + kbld.carvel.dev/id: ghcr.io/vrabbi/dev-ns-preperation-package:0.2.0 + kbld.carvel.dev/origins: | + - resolved: + tag: 0.2.0 + url: ghcr.io/vrabbi/dev-ns-preperation-package:0.2.0 + image: ghcr.io/vrabbi/dev-ns-preperation-package@sha256:bb1e9612d93ef9613262d3d78a0fae5481e23832ed9cf7ad09a5eff6922f07c7 - annotations: kbld.carvel.dev/id: ghcr.io/vrabbi/flux-source-controller-package:v0.21.1 kbld.carvel.dev/origins: | @@ -30,19 +37,22 @@ images: url: ghcr.io/vrabbi/kpack-config-package:0.5.2 image: ghcr.io/vrabbi/kpack-config-package@sha256:d5e14db2df55a33590832876e6c9c662183e10c8c5136e7430a4bc369ecba95b - annotations: - kbld.carvel.dev/id: ghcr.io/vrabbi/ootb-supply-chains-package:0.1.1 + kbld.carvel.dev/id: ghcr.io/vrabbi/ootb-supply-chains-package:0.2.1 kbld.carvel.dev/origins: | - resolved: - tag: 0.1.1 - url: ghcr.io/vrabbi/ootb-supply-chains-package:0.1.1 - image: ghcr.io/vrabbi/ootb-supply-chains-package@sha256:6119cb4941f451c0ea856f789cac80e6dbd42470a46f05d1f174f7c6ec72e6cb + tag: 0.2.1 + url: ghcr.io/vrabbi/ootb-supply-chains-package:0.2.1 + image: ghcr.io/vrabbi/ootb-supply-chains-package@sha256:7709e655c803058e9125381bfd459a31830a6a5c518a9e5cbeb79ab4ffa6ae46 +- annotations: + kbld.carvel.dev/id: ghcr.io/vrabbi/service-bindings-package@sha256:e8f52ce61238d3b3f16f0ce0a2f1ae13a4e62e97f0c948457de83025760b66a6 + image: ghcr.io/vrabbi/service-bindings-package@sha256:e8f52ce61238d3b3f16f0ce0a2f1ae13a4e62e97f0c948457de83025760b66a6 - annotations: - kbld.carvel.dev/id: ghcr.io/vrabbi/tap-oss-package:0.1.3 + kbld.carvel.dev/id: ghcr.io/vrabbi/tap-oss-package:0.2.1 kbld.carvel.dev/origins: | - resolved: - tag: 0.1.3 - url: ghcr.io/vrabbi/tap-oss-package:0.1.3 - image: ghcr.io/vrabbi/tap-oss-package@sha256:27fada58dd517ce85a02dfa3f3783757c809bdcf2e8ffcf6dfe72362774a7f0e + tag: 0.2.1 + url: ghcr.io/vrabbi/tap-oss-package:0.2.1 + image: ghcr.io/vrabbi/tap-oss-package@sha256:fca06300a13022dccc7ef4e9e93d24810bc3aaa2083b18d38d8bfc782ca256d4 - annotations: kbld.carvel.dev/id: ghcr.io/vrabbi/tekton-package:0.32.1 kbld.carvel.dev/origins: | diff --git a/repo/packages/cert-injection-webhook/package-metadata.yaml b/repo/packages/cert-injection-webhook/package-metadata.yaml new file mode 100644 index 0000000..8085b54 --- /dev/null +++ b/repo/packages/cert-injection-webhook/package-metadata.yaml @@ -0,0 +1,16 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: PackageMetadata +metadata: + name: cert-injection-webhook.tap.oss +spec: + categories: + - webhook + - config + - system + - certificates + displayName: cert-injection-webhook + longDescription: Cert Injection Webhook package used primarily with Kpack to auto inject CA certs and Proxy details into the build pods + maintainers: + - name: Scott Rosenberg + providerName: TeraSky + shortDescription: Cert Injection Webhook for Kpack diff --git a/repo/packages/cert-injection-webhook/package.yaml b/repo/packages/cert-injection-webhook/package.yaml new file mode 100644 index 0000000..33fb9dd --- /dev/null +++ b/repo/packages/cert-injection-webhook/package.yaml @@ -0,0 +1,53 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + name: cert-injection-webhook.tap.oss.0.1.0 +spec: + licenses: + - Apache 2.0 + refName: cert-injection-webhook.tap.oss + releaseNotes: cert injection webhook 0.1.0 https://github.com/vmware-tanzu/cert-injection-webhook + template: + spec: + deploy: + - kapp: {} + fetch: + - imgpkgBundle: + image: ghcr.io/vrabbi/cert-injection-webhook-package:0.1.0 + template: + - ytt: + paths: + - config/ + - kbld: + paths: + - '-' + - .imgpkg/images.yml + valuesSchema: + openAPIv3: + properties: + labels: + type: array + items: + type: string + default: kpack.io/build + default: ["kpack.io/build"] + annotations: + type: array + items: + type: string + default: "" + default: [] + ca_cert_data: + type: string + default: "" + http_proxy: + type: string + default: "" + https_proxy: + type: string + default: "" + no_proxy: + type: string + default: "" + title: cert-injection-webhook.tap.oss.0.1.0 values schema + version: 0.1.0 diff --git a/repo/packages/ootb-supply-chains/package.yaml b/repo/packages/ootb-supply-chains/package.yaml index 4ccea1a..b127f5f 100644 --- a/repo/packages/ootb-supply-chains/package.yaml +++ b/repo/packages/ootb-supply-chains/package.yaml @@ -1,20 +1,20 @@ apiVersion: data.packaging.carvel.dev/v1alpha1 kind: Package metadata: - name: ootb-supply-chains.tap.oss.0.2.0 + name: ootb-supply-chains.tap.oss.0.2.1 spec: licenses: - Apache 2.0 refName: ootb-supply-chains.tap.oss - releaseNotes: ootb-supply-chains 0.2.0 for OSS TAP based on Cartographer examples - releasedAt: "2022-01-31T12:00:00Z" + releaseNotes: ootb-supply-chains 0.2.1 for OSS TAP based on Cartographer examples + releasedAt: "2022-09-02T12:00:00Z" template: spec: deploy: - kapp: {} fetch: - imgpkgBundle: - image: ghcr.io/vrabbi/ootb-supply-chains-package:0.2.0 + image: ghcr.io/vrabbi/ootb-supply-chains-package:0.2.1 template: - ytt: paths: @@ -87,5 +87,5 @@ spec: type: boolean default: true description: Should Testing Supply chain be created and configured - title: ootb-supply-chains.tap.oss 0.1.0 values schema - version: 0.2.0 + title: ootb-supply-chains.tap.oss 0.2.1 values schema + version: 0.2.1 diff --git a/repo/packages/tap-oss/package.yaml b/repo/packages/tap-oss/package.yaml index 59c7747..fc0c689 100644 --- a/repo/packages/tap-oss/package.yaml +++ b/repo/packages/tap-oss/package.yaml @@ -1,20 +1,20 @@ apiVersion: data.packaging.carvel.dev/v1alpha1 kind: Package metadata: - name: tap-install.tap.oss.0.2.0 + name: tap-install.tap.oss.0.2.1 spec: licenses: - Apache 2.0 refName: tap-install.tap.oss releaseNotes: TAP OSS Stack - releasedAt: "2022-01-31T12:00:00Z" + releasedAt: "2022-09-02T12:00:00Z" template: spec: deploy: - kapp: {} fetch: - imgpkgBundle: - image: ghcr.io/vrabbi/tap-oss-package:0.2.0 + image: ghcr.io/vrabbi/tap-oss-package:0.2.1 template: - ytt: paths: @@ -229,5 +229,5 @@ spec: description: list of package names to disable (e.g. kpack.tap.oss) items: type: string - title: tap-install.tap.oss.0.2.0 values schema - version: 0.2.0 + title: tap-install.tap.oss.0.2.1 values schema + version: 0.2.1