-
Notifications
You must be signed in to change notification settings - Fork 247
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1438 from Nordix/lentzi90/e2e-basic-auth-tls
⚠️ Kustomizations usable off the shelf
- Loading branch information
Showing
82 changed files
with
502 additions
and
316 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# Kustomizations for Baremetal Operator | ||
|
||
This folder contains kustomizations for the Baremetal Operator. They have | ||
traditionally been used through the [deploy.sh](../tools/deploy.sh) script, | ||
which takes care of generating the necessary config for basic-auth and TLS. | ||
However, a more GitOps friendly way would be to create your own static overlay. | ||
Check the `overlays/e2e` for an example that is used in the e2e tests. | ||
In the CI system we generate the necessary credentials before starting the test | ||
in `hack/ci-e2e.sh`, and put them directly in the `e2e` overlays. | ||
|
||
**NOTE** that you will need to supply the necessary secrets and config! This can | ||
be done in many ways, e.g. through the | ||
[external secrets operator](https://external-secrets.io/latest/) or directly in | ||
your overlay. | ||
In the CI system we generate the necessary credentials before starting the test | ||
in `hack/ci-e2e.sh`, and put them directly in the `e2e` overlays. | ||
|
||
- **base** - This is the kustomize base that we start from. | ||
- **components** - In here you will find re-usable kustomize components for TLS | ||
and basic-auth. | ||
- **basic-auth** - Enable basic authentication. Note that the basic-auth | ||
component is missing the actual credentials. This is on purpose, to make | ||
sure that the user is setting the password instead of using sample | ||
credentials. The required secrets are: | ||
- `ironic-credentials` | ||
- `ironic-inspector-credentials` | ||
- **tls** - Enable TLS. A CA certificate is needed here to verify the | ||
connection to Ironic. If you deploy BMO together with Ironic in a | ||
Kubernetes cluster, they can share the secret created for Ironic. The CA | ||
should be in a secret: | ||
- `ironic-cacert` | ||
- **default** - A minimal, fully working, BMO kustomization including configmap. | ||
Use only for development! There is no TLS or basic-auth. | ||
- **overlays** - Here you will find ready made overlays that use the above | ||
mentioned components. These can be used as examples. |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
# Adds namespace to all resources. | ||
namespace: baremetal-operator-system | ||
|
||
# Value of this field is prepended to the | ||
# names of all resources, e.g. a deployment named | ||
# "wordpress" becomes "alices-wordpress". | ||
# Note that it should also match with the prefix (text before '-') of the namespace | ||
# field above. | ||
namePrefix: baremetal-operator- | ||
|
||
# Labels to add to all resources and selectors. | ||
#commonLabels: | ||
# someName: someValue | ||
|
||
resources: | ||
- crds | ||
- rbac | ||
- manager.yaml | ||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in | ||
# crd/kustomization.yaml | ||
- webhook | ||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. | ||
- certmanager | ||
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. | ||
#- prometheus | ||
|
||
generatorOptions: | ||
disableNameSuffixHash: true | ||
|
||
configMapGenerator: | ||
- name: manager-config | ||
files: | ||
- controller_manager_config.yaml | ||
|
||
patches: | ||
# Protect the /metrics endpoint by putting it behind auth. | ||
# If you want your controller-manager to expose the /metrics | ||
# endpoint w/o any authn/z, please comment the following line. | ||
- path: manager_auth_proxy_patch.yaml | ||
|
||
# Mount the controller config file for loading manager configurations | ||
# through a ComponentConfig type | ||
#- manager_config_patch.yaml | ||
|
||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in | ||
# crd/kustomization.yaml | ||
- path: manager_webhook_patch.yaml | ||
|
||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. | ||
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. | ||
# 'CERTMANAGER' needs to be enabled to use ca injection | ||
- path: webhookcainjection_patch.yaml | ||
|
||
replacements: | ||
- source: | ||
kind: Certificate | ||
group: cert-manager.io | ||
version: v1 | ||
name: serving-cert # this name should match the one in certificate.yaml | ||
fieldpath: metadata.namespace | ||
targets: | ||
- select: | ||
kind: ValidatingWebhookConfiguration | ||
fieldPaths: | ||
- metadata.annotations.[cert-manager.io/inject-ca-from] | ||
options: | ||
delimiter: '/' | ||
index: 0 | ||
- select: | ||
kind: CustomResourceDefinition | ||
name: baremetalhosts.metal3.io | ||
fieldPaths: | ||
- metadata.annotations.[cert-manager.io/inject-ca-from] | ||
options: | ||
delimiter: '/' | ||
index: 0 | ||
- source: | ||
kind: Certificate | ||
group: cert-manager.io | ||
version: v1 | ||
name: serving-cert # this name should match the one in certificate.yaml | ||
fieldpath: metadata.name | ||
targets: | ||
- select: | ||
kind: ValidatingWebhookConfiguration | ||
fieldPaths: | ||
- metadata.annotations.[cert-manager.io/inject-ca-from] | ||
options: | ||
delimiter: '/' | ||
index: 1 | ||
- select: | ||
kind: CustomResourceDefinition | ||
name: baremetalhosts.metal3.io | ||
fieldPaths: | ||
- metadata.annotations.[cert-manager.io/inject-ca-from] | ||
options: | ||
delimiter: '/' | ||
index: 1 | ||
- source: | ||
kind: Service | ||
version: v1 | ||
name: webhook-service | ||
fieldpath: metadata.namespace | ||
targets: | ||
- select: | ||
kind: Certificate | ||
fieldPaths: | ||
- spec.dnsNames.* | ||
options: | ||
delimiter: '.' | ||
index: 1 | ||
- source: | ||
kind: Service | ||
version: v1 | ||
name: webhook-service | ||
fieldpath: metadata.name | ||
targets: | ||
- select: | ||
kind: Certificate | ||
fieldPaths: | ||
- spec.dnsNames.* | ||
options: | ||
delimiter: '.' | ||
index: 0 |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
apiVersion: kustomize.config.k8s.io/v1alpha1 | ||
kind: Component | ||
|
||
# NOTE: This component requires secrets with the basic auth credentials! | ||
# How you create them is up to you. | ||
# The required secrets are: | ||
# - ironic-credentials | ||
# - ironic-inspector-credentials | ||
# | ||
# Both should contain 2 fields: username and password. | ||
# Example: | ||
# | ||
# apiVersion: v1 | ||
# kind: Secret | ||
# metadata: | ||
# name: ironic-credentials | ||
# data: | ||
# password: <base64-encoded-password> | ||
# username: <base64-encoded-username> | ||
|
||
patches: | ||
- path: credentials_patch.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: kustomize.config.k8s.io/v1alpha1 | ||
kind: Component | ||
|
||
patches: | ||
- path: tls_ca_patch.yaml | ||
target: | ||
kind: Deployment | ||
name: controller-manager |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.