Add toolkit 1.12.1

manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/app-sso/overlay.yaml

@@ -0,0 +1,122 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+
+
+#@ if data.values.sso.tls.enabled:
+#@ http_prefix  = "https://authserver."
+#@ else:
+#@ http_prefix  = "http://authserver."
+#@ end
+---
+apiVersion: sso.apps.tanzu.vmware.com/v1alpha1
+kind: AuthServer
+metadata:
+  name: basic-authserver
+  namespace: service-instances
+  labels:
+    name: basic-authserver
+  annotations:
+    sso.apps.tanzu.vmware.com/allow-client-namespaces: "service-instances"
+    #@ if not data.values.sso.tls.enabled:
+    sso.apps.tanzu.vmware.com/allow-unsafe-issuer-uri: ""
+    #@ end
+    #@ if data.values.sso.testuser_enabled:
+    sso.apps.tanzu.vmware.com/allow-unsafe-identity-provider: ""
+    #@ end
+spec:
+  replicas: 1
+  tokenSignature:
+    signAndVerifyKeyRef:
+      name: "authserver-signing-key"
+  identityProviders:
+    #@ if data.values.sso.testuser_enabled:
+    #@overlay/match by="name", missing_ok=True
+    - name: "internal"
+      internalUnsafe:
+        users:
+          - username: "user"
+            password: "{bcrypt}$2a$10$201z9o/tHlocFsHFTo0plukh03ApBYe4dRiXcqeyRQH6CNNtS8jWK"
+    #@ end
+    #@ for sso_provider in data.values.sso.providers:
+    #@overlay/match by="name", missing_ok=True
+    - #@ sso_provider
+    #@ end
+  tls:
+#@ if not data.values.sso.tls.enabled:
+    deactivated: true
+#@ else:
+    secretRef:
+      name: #@ data.values.sso.tls.certname
+
+#@ if data.values.sso.tls.certnamespace != "":
+---
+apiVersion: secretgen.carvel.dev/v1alpha1
+kind: SecretExport
+metadata:
+  name: #@ data.values.sso.tls.certname
+  namespace: #@ data.values.sso.tls.certnamespace
+spec:
+  toNamespace: service-instances
+---
+apiVersion: secretgen.carvel.dev/v1alpha1
+kind: SecretImport
+metadata:
+  name: #@ data.values.sso.tls.certname
+  namespace: service-instances
+spec:
+  fromNamespace: #@ data.values.sso.tls.certnamespace
+#@ end
+#@ end
+---
+apiVersion: secretgen.k14s.io/v1alpha1
+kind: RSAKey
+metadata:
+  name: authserver-signing-key
+  namespace: service-instances
+spec:
+  secretTemplate:
+    type: Opaque
+    stringData:
+      key.pem: $(privateKey)
+      pub.pem: $(publicKey)
+---
+apiVersion: sso.apps.tanzu.vmware.com/v1alpha1
+kind: ClientRegistration
+metadata:
+   name: basic-client-registration
+   namespace: service-instances
+spec:
+   authServerSelector:
+      matchLabels:
+         name: basic-authserver
+   redirectURIs: #@ data.values.sso.redirect_urls
+   requireUserConsent: false
+   clientAuthenticationMethod: client_secret_basic
+   authorizationGrantTypes:
+      - client_credentials
+      - authorization_code
+   scopes:
+      - name: "openid"
+---
+apiVersion: services.apps.tanzu.vmware.com/v1alpha1
+kind: ClusterInstanceClass
+metadata:
+  name: appsso
+spec:
+  description:
+    short: It's a SSO service!
+  pool:
+    group: sso.apps.tanzu.vmware.com
+    kind: ClientRegistration
+---
+apiVersion: services.apps.tanzu.vmware.com/v1alpha1
+kind: ResourceClaimPolicy
+metadata:
+  name: appsso-cross-namespace
+  namespace: service-instances
+spec:
+  consumingNamespaces:
+  - '*'
+  subject:
+    group: sso.apps.tanzu.vmware.com
+    kind: ClientRegistration

manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/base.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: services.apps.tanzu.vmware.com/v1alpha1
+kind: ClusterInstanceClass
+metadata:
+  name: secrets
+spec:
+  description:
+    short: It's a set of Secrets!
+  pool:
+    kind: Secret
+    labelSelector:
+      matchLabels:
+        claimable: "true"
+---
+apiVersion: services.apps.tanzu.vmware.com/v1alpha1
+kind: ResourceClaimPolicy
+metadata:
+  name: secrets-cross-namespace
+  namespace: service-instances
+spec:
+  consumingNamespaces:
+  - '*'
+  subject:
+    kind: Secret
+    group: ""
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: service-instances
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tap-registry
+  namespace: service-instances
+  annotations:
+    secretgen.carvel.dev/image-pull-secret: ""
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30K
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  namespace: service-instances
+  annotations:
+    kapp.k14s.io/create-strategy: fallback-on-update  
+secrets:
+  - name: tap-registry
+imagePullSecrets:
+  - name: tap-registry
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: resource-claims-secret
+  labels:
+    servicebinding.io/controller: "true"
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]

manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/dynamic-cluster-role.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: services.apps.tanzu.vmware.com/v1alpha1
+kind: ClusterInstanceClass
+metadata:
+  name: dynamic-rabbitmq
+spec:
+  description:
+    short: On-demand RabbitMQ clusters!
+  provisioner:
+    crossplane:
+      compositeResourceDefinition: xrabbitmqclusters.messaging.tanzu.japan.com
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rmqcluster-read-writer
+  labels:
+    services.tanzu.vmware.com/aggregate-to-provider-kubernetes: "true"
+rules:
+- apiGroups:
+  - rabbitmq.com
+  resources:
+  - rabbitmqclusters
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: app-operator-claim-class-bigcorp-rabbitmq
+  labels:
+    apps.tanzu.vmware.com/aggregate-to-app-operator-cluster-access: "true"
+rules:
+- apiGroups:
+  - services.apps.tanzu.vmware.com
+  resources:
+  - clusterinstanceclasses
+  resourceNames:
+  - dynamic-rabbitmq
+  verbs:
+  - claim