voor/pinniped.yaml

## pinniped.yaml
#@ load("@ytt:data", "data")
#@ load("@ytt:yaml", "yaml")
#@ load("@ytt:overlay", "overlay")


#@ def supervisor_svc_external_dns():
#@ return "kubectl.phantom.{}".format(data.values.cluster_domain)
#@ end

#@ def management_overlay():
#@overlay/match missing_ok=True
tkg_cluster_role: management

#@overlay/match missing_ok=True
custom_tls_secret: pinniped-supervisor-public-certificate
#@ end

#@ def workload_overlay():
#@overlay/match missing_ok=True
tkg_cluster_role: workload
#@ end

#@ def both_overlay():
#@overlay/match missing_ok=True
pinniped:
  #@overlay/match missing_ok=True
  supervisor_svc_endpoint: #@ "https://{}".format(supervisor_svc_external_dns())
  #@overlay/match missing_ok=True
  supervisor_svc_external_dns: #@ supervisor_svc_external_dns()
  #@overlay/match missing_ok=True
  supervisor_ca_bundle_data: "Cg=="
#@ end

#@ def pinniped_values():
#@  if data.values.cluster.name.find("phantom") >= 0:
#@    return overlay.apply(overlay.apply(data.values.pinniped, both_overlay()), management_overlay())
#@  end
#@  return overlay.apply(overlay.apply(data.values.pinniped, both_overlay()), workload_overlay())
#@ end

#@ pinnivalues = pinniped_values()

#@ def httpproxy():
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: pinniped-supervisor-public-certificate
  namespace: pinniped-supervisor
spec:
  secretName: pinniped-supervisor-public-certificate
  issuerRef:
    name: letsencrypt-issuer
    kind: ClusterIssuer
  dnsNames:
  - #@ supervisor_svc_external_dns()
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: pinniped-supervisor
  namespace: pinniped-supervisor
spec:
  virtualhost:
    fqdn: #@ supervisor_svc_external_dns()
    tls:
      passthrough: true
  tcpproxy:
    services:
    - name: pinniped-supervisor
      port: 443
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: pinniped-info
  namespace: kube-public
data:
  cluster_name: tkg-mgmt-vc
  concierge_is_cluster_scoped: "true"
  issuer: #@ pinnivalues.pinniped.upstream_oidc_issuer_url
  issuer_ca_bundle_data: #@ pinnivalues.pinniped.upstream_oidc_tls_ca_data
#@ end
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
  name: pinniped
  annotations:
    #! ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: pinniped-overlays
    ext.packaging.carvel.dev/ytt-paths-from-secret-name.1: pinniped-clusterip-overlay
spec:
  packageRef:
    refName: pinniped.tanzu.vmware.com
    versionSelection:
      constraints: ">=0.0.0"
  values:
  - secretRef:
      name: pinniped-values
---
apiVersion: v1
kind: Secret
metadata:
  name: pinniped-values
stringData:
  values.yml: #@ yaml.encode(pinnivalues)
---
apiVersion: v1
kind: Secret
metadata:
  name: pinniped-clusterip-overlay
stringData:
  securityoverlay.yaml: |
    #@ load("@ytt:overlay", "overlay")
    #@ load("@ytt:data", "data")

    #@overlay/match by=overlay.subset({"kind":"Service", "metadata":{"name":"pinniped-supervisor"}}), when=1
    ---
    spec:
      type: ClusterIP

    #@overlay/match by=overlay.subset({"kind":"JWTAuthenticator", "metadata":{"name":"tkg-jwt-authenticator"}}), when=1
    ---
    spec:
      #@overlay/remove
      tls:

    #@overlay/match by=overlay.subset({"kind":"FederationDomain", "metadata":{"name":"pinniped-federation-domain"}}), when=1
    ---
    spec:
      #@overlay/match missing_ok=True
      tls:
        #@overlay/match missing_ok=True
        secretName: pinniped-supervisor-public-certificate

    #@overlay/match by=overlay.subset({"kind":"Job"}), when=1
    ---
    #@overlay/remove

    #@overlay/match by=overlay.subset({"kind":"ConfigMap", "metadata":{"name":"pinniped-kapp-config"}}), when=1
    ---
    #@overlay/remove

    ---
    apiVersion: kapp.k14s.io/v1alpha1
    kind: Config
    minimumRequiredVersion: 0.40.0
    rebaseRules:
    #! ignore secret/pinniped-concierge-impersonation-proxy, they are dynamically updated
    - paths:
      - [data, ca.crt]
      - [data, namespace]
      - [data, token]
      - [metadata, annotations, kubernetes.io/service-account.uid]
      type: copy
      sources: [existing]
      resourceMatchers:
      - kindNamespaceNameMatcher: {kind: Secret, namespace: pinniped-concierge, name: pinniped-concierge-impersonation-proxy}


  #@ if data.values.cluster.name.find("phantom") >= 0:
  httpproxy.yaml: #@ yaml.encode(httpproxy())
  #@ end

## schema.yaml
#@data/values-schema
---

#! Passed in from management cluster.
cluster:
  name: ""

#! Passed in from management cluster.
cluster_domain: ""

#! Passed in from management cluster.
foundation:
  name: ""

acme_email: rvanvoorhees@vmware.com
acme_url: "https://acme-v02.api.letsencrypt.org/directory"

container_domain: us-east4-docker.pkg.dev/pa-rvanvoorhees
core_repository_tag: v1.22.9_vmware.1-tkg.1

#! Provided from the encrypted sops file.
#@schema/type any=True
secrets:

#@schema/type any=True
pinniped:

contour:
  infrastructure_provider: aws
  namespace: projectcontour
  envoy:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: nlb
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    hostPorts:
      enable: false

#@schema/type any=True
externaldns:

#@schema/type any=True
externaldns_secrets:

kiam:
  aws_region: us-gov-east-1
  server:
    assumeRoleArn: kiam-server.cluster-api-provider-aws.sigs.k8s.io

## values.yaml
#@data/values
---

pinniped:
  infrastructure_provider: aws
  identity_management_type: oidc

externaldns:
  namespace: external-dns
  deployment:
    args:
    - --source=contour-httpproxy
    - --source=ingress
    - --source=service
    - --provider=cloudflare
    #! - --cloudflare-proxied
    - --log-level=error
    - --log-format=text
    - --policy=upsert-only
    - --registry=txt
    - --interval=1m
    - --txt-prefix=rv2
    env:
    - name: CF_API_TOKEN
      valueFrom:
        secretKeyRef:
          name: cloudflare-api
          key: cloudflare_api_token
    #! securityContext:
    #!   runAsNonRoot: true
    #!   runAsUser: 65534
    #!   readOnlyRootFilesystem: true
    #!   capabilities:
    #!     drop: ["ALL"]

## zzz-secrets.yaml
#@data/values
#@overlay/match-child-defaults missing_ok=True
---


externaldns_secrets:
    cloudflare_api_token: CHANGEME
pinniped:
    upstream_oidc_issuer_url: https://gitlab.com
    upstream_oidc_client_id: CHANGEME
    upstream_oidc_client_secret: CHANGEME
    upstream_oidc_claims:
        username: "email"
        groups: "groups"
    upstream_oidc_additional_scopes:
    - openid
    - profile
    - email
    upstream_oidc_tls_ca_data: ""
	#@ load("@ytt:data", "data")
	#@ load("@ytt:yaml", "yaml")
	#@ load("@ytt:overlay", "overlay")


	#@ def supervisor_svc_external_dns():
	#@ return "kubectl.phantom.{}".format(data.values.cluster_domain)
	#@ end

	#@ def management_overlay():
	#@overlay/match missing_ok=True
	tkg_cluster_role: management

	#@overlay/match missing_ok=True
	custom_tls_secret: pinniped-supervisor-public-certificate
	#@ end

	#@ def workload_overlay():
	#@overlay/match missing_ok=True
	tkg_cluster_role: workload
	#@ end

	#@ def both_overlay():
	#@overlay/match missing_ok=True
	pinniped:
	#@overlay/match missing_ok=True
	supervisor_svc_endpoint: #@ "https://{}".format(supervisor_svc_external_dns())
	#@overlay/match missing_ok=True
	supervisor_svc_external_dns: #@ supervisor_svc_external_dns()
	#@overlay/match missing_ok=True
	supervisor_ca_bundle_data: "Cg=="
	#@ end

	#@ def pinniped_values():
	#@ if data.values.cluster.name.find("phantom") >= 0:
	#@ return overlay.apply(overlay.apply(data.values.pinniped, both_overlay()), management_overlay())
	#@ end
	#@ return overlay.apply(overlay.apply(data.values.pinniped, both_overlay()), workload_overlay())
	#@ end

	#@ pinnivalues = pinniped_values()

	#@ def httpproxy():
	---
	apiVersion: cert-manager.io/v1alpha2
	kind: Certificate
	metadata:
	name: pinniped-supervisor-public-certificate
	namespace: pinniped-supervisor
	spec:
	secretName: pinniped-supervisor-public-certificate
	issuerRef:
	name: letsencrypt-issuer
	kind: ClusterIssuer
	dnsNames:
	- #@ supervisor_svc_external_dns()
	---
	apiVersion: projectcontour.io/v1
	kind: HTTPProxy
	metadata:
	name: pinniped-supervisor
	namespace: pinniped-supervisor
	spec:
	virtualhost:
	fqdn: #@ supervisor_svc_external_dns()
	tls:
	passthrough: true
	tcpproxy:
	services:
	- name: pinniped-supervisor
	port: 443
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: pinniped-info
	namespace: kube-public
	data:
	cluster_name: tkg-mgmt-vc
	concierge_is_cluster_scoped: "true"
	issuer: #@ pinnivalues.pinniped.upstream_oidc_issuer_url
	issuer_ca_bundle_data: #@ pinnivalues.pinniped.upstream_oidc_tls_ca_data
	#@ end
	---
	apiVersion: packaging.carvel.dev/v1alpha1
	kind: PackageInstall
	metadata:
	name: pinniped
	annotations:
	#! ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: pinniped-overlays
	ext.packaging.carvel.dev/ytt-paths-from-secret-name.1: pinniped-clusterip-overlay
	spec:
	packageRef:
	refName: pinniped.tanzu.vmware.com
	versionSelection:
	constraints: ">=0.0.0"
	values:
	- secretRef:
	name: pinniped-values
	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: pinniped-values
	stringData:
	values.yml: #@ yaml.encode(pinnivalues)
	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: pinniped-clusterip-overlay
	stringData:
	securityoverlay.yaml: \|
	#@ load("@ytt:overlay", "overlay")
	#@ load("@ytt:data", "data")

	#@overlay/match by=overlay.subset({"kind":"Service", "metadata":{"name":"pinniped-supervisor"}}), when=1
	---
	spec:
	type: ClusterIP

	#@overlay/match by=overlay.subset({"kind":"JWTAuthenticator", "metadata":{"name":"tkg-jwt-authenticator"}}), when=1
	---
	spec:
	#@overlay/remove
	tls:

	#@overlay/match by=overlay.subset({"kind":"FederationDomain", "metadata":{"name":"pinniped-federation-domain"}}), when=1
	---
	spec:
	#@overlay/match missing_ok=True
	tls:
	#@overlay/match missing_ok=True
	secretName: pinniped-supervisor-public-certificate

	#@overlay/match by=overlay.subset({"kind":"Job"}), when=1
	---
	#@overlay/remove

	#@overlay/match by=overlay.subset({"kind":"ConfigMap", "metadata":{"name":"pinniped-kapp-config"}}), when=1
	---
	#@overlay/remove

	---
	apiVersion: kapp.k14s.io/v1alpha1
	kind: Config
	minimumRequiredVersion: 0.40.0
	rebaseRules:
	#! ignore secret/pinniped-concierge-impersonation-proxy, they are dynamically updated
	- paths:
	- [data, ca.crt]
	- [data, namespace]
	- [data, token]
	- [metadata, annotations, kubernetes.io/service-account.uid]
	type: copy
	sources: [existing]
	resourceMatchers:
	- kindNamespaceNameMatcher: {kind: Secret, namespace: pinniped-concierge, name: pinniped-concierge-impersonation-proxy}


	#@ if data.values.cluster.name.find("phantom") >= 0:
	httpproxy.yaml: #@ yaml.encode(httpproxy())
	#@ end
	#@data/values-schema
	---

	#! Passed in from management cluster.
	cluster:
	name: ""

	#! Passed in from management cluster.
	cluster_domain: ""

	#! Passed in from management cluster.
	foundation:
	name: ""

	acme_email: rvanvoorhees@vmware.com
	acme_url: "https://acme-v02.api.letsencrypt.org/directory"

	container_domain: us-east4-docker.pkg.dev/pa-rvanvoorhees
	core_repository_tag: v1.22.9_vmware.1-tkg.1

	#! Provided from the encrypted sops file.
	#@schema/type any=True
	secrets:

	#@schema/type any=True
	pinniped:

	contour:
	infrastructure_provider: aws
	namespace: projectcontour
	envoy:
	service:
	annotations:
	service.beta.kubernetes.io/aws-load-balancer-type: nlb
	service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
	hostPorts:
	enable: false

	#@schema/type any=True
	externaldns:

	#@schema/type any=True
	externaldns_secrets:

	kiam:
	aws_region: us-gov-east-1
	server:
	assumeRoleArn: kiam-server.cluster-api-provider-aws.sigs.k8s.io
	#@data/values
	---

	pinniped:
	infrastructure_provider: aws
	identity_management_type: oidc

	externaldns:
	namespace: external-dns
	deployment:
	args:
	- --source=contour-httpproxy
	- --source=ingress
	- --source=service
	- --provider=cloudflare
	#! - --cloudflare-proxied
	- --log-level=error
	- --log-format=text
	- --policy=upsert-only
	- --registry=txt
	- --interval=1m
	- --txt-prefix=rv2
	env:
	- name: CF_API_TOKEN
	valueFrom:
	secretKeyRef:
	name: cloudflare-api
	key: cloudflare_api_token
	#! securityContext:
	#! runAsNonRoot: true
	#! runAsUser: 65534
	#! readOnlyRootFilesystem: true
	#! capabilities:
	#! drop: ["ALL"]
	#@data/values
	#@overlay/match-child-defaults missing_ok=True
	---


	externaldns_secrets:
	cloudflare_api_token: CHANGEME
	pinniped:
	upstream_oidc_issuer_url: https://gitlab.com
	upstream_oidc_client_id: CHANGEME
	upstream_oidc_client_secret: CHANGEME
	upstream_oidc_claims:
	username: "email"
	groups: "groups"
	upstream_oidc_additional_scopes:
	- openid
	- profile
	- email
	upstream_oidc_tls_ca_data: ""