From eca60da22b05bda25b18c5fc8df261d2a0c0b5bb Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Tue, 23 Jan 2024 13:28:47 +0100 Subject: [PATCH] Allow hierarchical token store configuration --- component/main.jsonnet | 19 ++++++++++++++++--- .../ROOT/pages/references/parameters.adoc | 19 +++++++++++++++++++ tests/defaults.yml | 6 ++++++ .../20_emergencyaccounts.yaml | 5 +++++ 4 files changed, 46 insertions(+), 3 deletions(-) diff --git a/component/main.jsonnet b/component/main.jsonnet index dc10866..570a299 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -34,18 +34,31 @@ local alerts = function(name, groupName, alerts) local emergencyAccounts = std.map( - function(ea) ea { _create_binding:: super._create_binding }, + function(ea) ea { + // Commodores makeMergeable unhides fields so we hide them after processing + _create_binding:: super._create_binding, + spec+: { + _tokenStores+:: {}, + }, + }, com.generateResources( params.emergency_accounts, - function(name) kube._Object('cluster.appuio.io/v1beta1', 'EmergencyAccount', name) { + function(name) kube._Object('cluster.appuio.io/v1beta1', 'EmergencyAccount', name) + { + spec+: { + tokenStores+: [], + _tokenStores+: {}, + }, + } + { metadata+: { namespace: params.namespace, }, + spec+: { + tokenStores+: std.map(function(k) self._tokenStores[k] { name: k }, std.objectFields(self._tokenStores)), + }, }, ) ); - local emergencyAccountBindings = std.filterMap( function(name) std.get(params.emergency_accounts[name], '_create_binding', true), function(name) kube.ClusterRoleBinding(name) { diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 0c7c988..fe6db3e 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -63,6 +63,21 @@ emergency_accounts: tokenStores: - name: secret type: secret + _tokenStores: + ext-s3: + type: s3 + s3Store: + encryption: + encrypt: true + pgpKeys: [omitted] + s3: + endpoint: zrh.example.io + bucket: emergency-credentials + accessKeyId: nJxvJLuryTpxBVt16La4xEM5ZfAB5fIVPGEPdDrR + secretAccessKey: Z9rQrB2QHLEcmCVBqGi8EnKlKUfUcQ6PrfXnjenH + objectNameTemplate: "em-{{ .Context.ClusterId | sha256sum }}" + objectNameTemplateContext: + ClusterId: ${cluster:name} no-binding: _create_binding: false spec: @@ -76,6 +91,10 @@ The value is the configuration of the `EmergencyAccount` object. The value has an additional key `_create_binding` which is used to control whether a `ClusterRoleBinding` to the ClusterRole defined in `cluster_admin_role` should be created. The default is `true`. +The `_tokenStores` keys is a helper to hierarchically configure the `tokenStores` key. +It is a dictionary where the key is the name of the `tokenStore` and the value is the configuration of the `tokenStore`. +The resulting configurations are appended to the `tokenStores` key. + See https://github.com/appuio/emergency-credentials-controller for the manifest definition. diff --git a/tests/defaults.yml b/tests/defaults.yml index ca7cb73..0c374f1 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -14,3 +14,9 @@ parameters: _create_binding: false spec: validityDuration: 720h + tokenStores: + - name: secret + type: secret + _tokenStores: + ext-s3: + type: s3 diff --git a/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/20_emergencyaccounts.yaml b/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/20_emergencyaccounts.yaml index 4626c25..8446a79 100644 --- a/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/20_emergencyaccounts.yaml +++ b/tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/20_emergencyaccounts.yaml @@ -22,4 +22,9 @@ metadata: name: no-binding namespace: appuio-emergency-credentials-controller spec: + tokenStores: + - name: ext-s3 + type: s3 + - name: secret + type: secret validityDuration: 720h