diff --git a/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/app-sso/overlay.yaml b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/app-sso/overlay.yaml new file mode 100644 index 0000000..ce04682 --- /dev/null +++ b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/app-sso/overlay.yaml @@ -0,0 +1,122 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + + +#@ if data.values.sso.tls.enabled: +#@ http_prefix = "https://authserver." +#@ else: +#@ http_prefix = "http://authserver." +#@ end +--- +apiVersion: sso.apps.tanzu.vmware.com/v1alpha1 +kind: AuthServer +metadata: + name: basic-authserver + namespace: service-instances + labels: + name: basic-authserver + annotations: + sso.apps.tanzu.vmware.com/allow-client-namespaces: "service-instances" + #@ if not data.values.sso.tls.enabled: + sso.apps.tanzu.vmware.com/allow-unsafe-issuer-uri: "" + #@ end + #@ if data.values.sso.testuser_enabled: + sso.apps.tanzu.vmware.com/allow-unsafe-identity-provider: "" + #@ end +spec: + replicas: 1 + tokenSignature: + signAndVerifyKeyRef: + name: "authserver-signing-key" + identityProviders: + #@ if data.values.sso.testuser_enabled: + #@overlay/match by="name", missing_ok=True + - name: "internal" + internalUnsafe: + users: + - username: "user" + password: "{bcrypt}$2a$10$201z9o/tHlocFsHFTo0plukh03ApBYe4dRiXcqeyRQH6CNNtS8jWK" + #@ end + #@ for sso_provider in data.values.sso.providers: + #@overlay/match by="name", missing_ok=True + - #@ sso_provider + #@ end + tls: +#@ if not data.values.sso.tls.enabled: + deactivated: true +#@ else: + secretRef: + name: #@ data.values.sso.tls.certname + +#@ if data.values.sso.tls.certnamespace != "": +--- +apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretExport +metadata: + name: #@ data.values.sso.tls.certname + namespace: #@ data.values.sso.tls.certnamespace +spec: + toNamespace: service-instances +--- +apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretImport +metadata: + name: #@ data.values.sso.tls.certname + namespace: service-instances +spec: + fromNamespace: #@ data.values.sso.tls.certnamespace +#@ end +#@ end +--- +apiVersion: secretgen.k14s.io/v1alpha1 +kind: RSAKey +metadata: + name: authserver-signing-key + namespace: service-instances +spec: + secretTemplate: + type: Opaque + stringData: + key.pem: $(privateKey) + pub.pem: $(publicKey) +--- +apiVersion: sso.apps.tanzu.vmware.com/v1alpha1 +kind: ClientRegistration +metadata: + name: basic-client-registration + namespace: service-instances +spec: + authServerSelector: + matchLabels: + name: basic-authserver + redirectURIs: #@ data.values.sso.redirect_urls + requireUserConsent: false + clientAuthenticationMethod: client_secret_basic + authorizationGrantTypes: + - client_credentials + - authorization_code + scopes: + - name: "openid" +--- +apiVersion: services.apps.tanzu.vmware.com/v1alpha1 +kind: ClusterInstanceClass +metadata: + name: appsso +spec: + description: + short: It's a SSO service! + pool: + group: sso.apps.tanzu.vmware.com + kind: ClientRegistration +--- +apiVersion: services.apps.tanzu.vmware.com/v1alpha1 +kind: ResourceClaimPolicy +metadata: + name: appsso-cross-namespace + namespace: service-instances +spec: + consumingNamespaces: + - '*' + subject: + group: sso.apps.tanzu.vmware.com + kind: ClientRegistration diff --git a/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/base.yaml b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/base.yaml new file mode 100644 index 0000000..6fc655d --- /dev/null +++ b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/base.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: services.apps.tanzu.vmware.com/v1alpha1 +kind: ClusterInstanceClass +metadata: + name: secrets +spec: + description: + short: It's a set of Secrets! + pool: + kind: Secret + labelSelector: + matchLabels: + claimable: "true" +--- +apiVersion: services.apps.tanzu.vmware.com/v1alpha1 +kind: ResourceClaimPolicy +metadata: + name: secrets-cross-namespace + namespace: service-instances +spec: + consumingNamespaces: + - '*' + subject: + kind: Secret + group: "" +--- +apiVersion: v1 +kind: Namespace +metadata: + name: service-instances + labels: + pod-security.kubernetes.io/enforce: baseline +--- +apiVersion: v1 +kind: Secret +metadata: + name: tap-registry + namespace: service-instances + annotations: + secretgen.carvel.dev/image-pull-secret: "" +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: e30K +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default + namespace: service-instances + annotations: + kapp.k14s.io/create-strategy: fallback-on-update +secrets: + - name: tap-registry +imagePullSecrets: + - name: tap-registry +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: resource-claims-secret + labels: + servicebinding.io/controller: "true" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] diff --git a/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/dynamic-cluster-role.yaml b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/dynamic-cluster-role.yaml new file mode 100644 index 0000000..8535f69 --- /dev/null +++ b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/dynamic-cluster-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: services.apps.tanzu.vmware.com/v1alpha1 +kind: ClusterInstanceClass +metadata: + name: dynamic-rabbitmq +spec: + description: + short: On-demand RabbitMQ clusters! + provisioner: + crossplane: + compositeResourceDefinition: xrabbitmqclusters.messaging.tanzu.japan.com +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rmqcluster-read-writer + labels: + services.tanzu.vmware.com/aggregate-to-provider-kubernetes: "true" +rules: +- apiGroups: + - rabbitmq.com + resources: + - rabbitmqclusters + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: app-operator-claim-class-bigcorp-rabbitmq + labels: + apps.tanzu.vmware.com/aggregate-to-app-operator-cluster-access: "true" +rules: +- apiGroups: + - services.apps.tanzu.vmware.com + resources: + - clusterinstanceclasses + resourceNames: + - dynamic-rabbitmq + verbs: + - claim diff --git a/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/overlay.yaml b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/overlay.yaml new file mode 100644 index 0000000..949ba9b --- /dev/null +++ b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/overlay.yaml @@ -0,0 +1,169 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + + +#@ if data.values.rabbitmq.enabled: +#@ if data.values.rabbitmq.package.install: +apiVersion: v1 +kind: Namespace +metadata: + name: rabbitmq-install + labels: + pod-security.kubernetes.io/enforce: baseline +--- +apiVersion: v1 +kind: Secret +metadata: + name: tap-registry + namespace: rabbitmq-install + annotations: + secretgen.carvel.dev/image-pull-secret: "" +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: e30K +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kapp-sa + namespace: rabbitmq-install +secrets: + - name: tap-registry +imagePullSecrets: + - name: tap-registry +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rabbit-kapp-role-binding + namespace: rabbitmq-install +subjects: +- kind: ServiceAccount + name: kapp-sa + namespace: rabbitmq-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +--- +apiVersion: packaging.carvel.dev/v1alpha1 +kind: PackageRepository +metadata: + generation: 2 + name: tmq-pack + namespace: rabbitmq-install + annotations: + kapp.k14s.io/change-group: "pkgr" +spec: + fetch: + imgpkgBundle: + image: #@ data.values.rabbitmq.package.repo + ":" + data.values.rabbitmq.package.version +--- +apiVersion: packaging.carvel.dev/v1alpha1 +kind: PackageInstall +metadata: + name: rabbitmq + namespace: rabbitmq-install + annotations: + ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: "namespace-overlay" +spec: + serviceAccountName: kapp-sa + packageRef: + refName: rabbitmq.tanzu.vmware.com + versionSelection: + constraints: #@ data.values.rabbitmq.package.operator_version +--- +apiVersion: v1 +kind: Secret +metadata: + name: namespace-overlay + namespace: rabbitmq-install +stringData: + overlay.yaml: | + #@ load("@ytt:overlay", "overlay") + + #@overlay/match by=overlay.subset({"kind":"Namespace", "metadata": {"name": "rabbitmq-system"}}), expects="0+" + --- + metadata: + labels: + #@overlay/match missing_ok=True + pod-security.kubernetes.io/enforce: baseline +#@ end +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: resource-claims-rmq + labels: + servicebinding.io/controller: "true" +rules: +- apiGroups: ["rabbitmq.com"] + resources: ["rabbitmqclusters"] + verbs: ["get", "list", "watch"] +--- +apiVersion: services.apps.tanzu.vmware.com/v1alpha1 +kind: ClusterInstanceClass +metadata: + name: rabbitmq +spec: + description: + short: It's a RabbitMQ cluster! + pool: + group: rabbitmq.com + kind: RabbitmqCluster +--- +apiVersion: services.apps.tanzu.vmware.com/v1alpha1 +kind: ResourceClaimPolicy +metadata: + name: rabbitmqcluster-cross-namespace + namespace: service-instances +spec: + consumingNamespaces: + - '*' + subject: + group: rabbitmq.com + kind: RabbitmqCluster +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: rabbitmqclusters.rabbitmq.com + annotations: + kapp.k14s.io/exists: "" + kapp.k14s.io/change-group: "tkcrd" +spec: + group: rabbitmq.com + versions: + - name: v1beta1 + names: + kind: RabbitmqCluster + scope: Namespaced +#@ count = data.values.rabbitmq.count + 1 +#@ for j in range(1,count): +--- +apiVersion: rabbitmq.com/v1beta1 +kind: RabbitmqCluster +metadata: + name: #@ "rmq-" + str(j) + namespace: service-instances + annotations: + kapp.k14s.io/change-rule: "upsert after upserting tkcrd" +spec: + imagePullSecrets: + - name: tap-registry + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 250Mi + rabbitmq: + additionalPlugins: + - rabbitmq_shovel + - rabbitmq_shovel_management + - rabbitmq_management + - rabbitmq_prometheus + - rabbitmq_peer_discovery_k8s +#@ end +#@ end diff --git a/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/xrabbitmqclusters.messaging.tanzu.japan.com.composition.yaml b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/xrabbitmqclusters.messaging.tanzu.japan.com.composition.yaml new file mode 100644 index 0000000..241717c --- /dev/null +++ b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/xrabbitmqclusters.messaging.tanzu.japan.com.composition.yaml @@ -0,0 +1,143 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xrabbitmqclusters.messaging.tanzu.japan.com +spec: + compositeTypeRef: + apiVersion: messaging.tanzu.japan.com/v1alpha1 + kind: XRabbitmqCluster + resources: + - base: + apiVersion: kubernetes.crossplane.io/v1alpha1 + kind: Object + spec: + forProvider: + manifest: + apiVersion: rabbitmq.com/v1beta1 + kind: RabbitmqCluster + metadata: + namespace: service-instances + spec: + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 250Mi + imagePullSecrets: + - name: tap-registry + rabbitmq: + additionalPlugins: + - rabbitmq_shovel + - rabbitmq_shovel_management + - rabbitmq_management + - rabbitmq_prometheus + - rabbitmq_peer_discovery_k8s + connectionDetails: + - apiVersion: v1 + kind: Secret + namespace: service-instances + fieldPath: data.provider + toConnectionSecretKey: provider + - apiVersion: v1 + kind: Secret + namespace: service-instances + fieldPath: data.type + toConnectionSecretKey: type + - apiVersion: v1 + kind: Secret + namespace: service-instances + fieldPath: data.host + toConnectionSecretKey: host + - apiVersion: v1 + kind: Secret + namespace: service-instances + fieldPath: data.port + toConnectionSecretKey: port + - apiVersion: v1 + kind: Secret + namespace: service-instances + fieldPath: data.username + toConnectionSecretKey: username + - apiVersion: v1 + kind: Secret + namespace: service-instances + fieldPath: data.password + toConnectionSecretKey: password + writeConnectionSecretToRef: + namespace: service-instances + connectionDetails: + - fromConnectionSecretKey: provider + - fromConnectionSecretKey: type + - fromConnectionSecretKey: host + - fromConnectionSecretKey: port + - fromConnectionSecretKey: username + - fromConnectionSecretKey: password + patches: + - fromFieldPath: metadata.name + toFieldPath: spec.forProvider.manifest.metadata.name + type: FromCompositeFieldPath + - fromFieldPath: spec.service.type + toFieldPath: spec.forProvider.manifest.spec.service.type + type: FromCompositeFieldPath + - fromFieldPath: metadata.name + toFieldPath: spec.writeConnectionSecretToRef.name + transforms: + - string: + fmt: '%s-rmq' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: metadata.name + toFieldPath: spec.connectionDetails[0].name + transforms: + - string: + fmt: '%s-default-user' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: metadata.name + toFieldPath: spec.connectionDetails[1].name + transforms: + - string: + fmt: '%s-default-user' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: metadata.name + toFieldPath: spec.connectionDetails[2].name + transforms: + - string: + fmt: '%s-default-user' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: metadata.name + toFieldPath: spec.connectionDetails[3].name + transforms: + - string: + fmt: '%s-default-user' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: metadata.name + toFieldPath: spec.connectionDetails[4].name + transforms: + - string: + fmt: '%s-default-user' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: metadata.name + toFieldPath: spec.connectionDetails[5].name + transforms: + - string: + fmt: '%s-default-user' + type: Format + type: string + type: FromCompositeFieldPath + readinessChecks: + - type: MatchString + fieldPath: status.atProvider.manifest.status.conditions[1].status # ClusterAvailable + matchString: "True" diff --git a/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/xrabbitmqclusters.messaging.tanzu.japan.com.xrd.yaml b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/xrabbitmqclusters.messaging.tanzu.japan.com.xrd.yaml new file mode 100644 index 0000000..e82b5c0 --- /dev/null +++ b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/tanzu-rabbitmq/xrabbitmqclusters.messaging.tanzu.japan.com.xrd.yaml @@ -0,0 +1,43 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xrabbitmqclusters.messaging.tanzu.japan.com +spec: + connectionSecretKeys: + - host + - password + - port + - provider + - type + - username + group: messaging.tanzu.japan.com + names: + kind: XRabbitmqCluster + plural: xrabbitmqclusters + versions: + - name: v1alpha1 + referenceable: true + served: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + properties: + service: + default: + type: ClusterIP + description: The desired state of the Kubernetes Service to create + for the cluster. + properties: + type: + default: ClusterIP + description: 'Type of Service to create for the cluster. Must + be one of: ClusterIP, LoadBalancer, NodePort. For more info + see https://pkg.go.dev/k8s.io/api/core/v1#ServiceType' + enum: + - ClusterIP + - LoadBalancer + - NodePort + type: string + type: object diff --git a/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/values.yaml b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/values.yaml new file mode 100644 index 0000000..79157f1 --- /dev/null +++ b/manifests/tap-toolkit-starter.tanzu.japan.com/1.12.1/values.yaml @@ -0,0 +1,40 @@ +#@data/values-schema +--- +#@schema/desc "Rabbitmq starter" +rabbitmq: + #@schema/desc "Enable starter" + enabled: true + #@schema/desc "package installation" + package: + #@schema/desc "install via carvel" + install: true + #@schema/desc "install repo" + repo: rabbitmq-kubernetes.packages.broadcom.com/tanzu-rabbitmq-package-repo + #@schema/desc "install version" + version: 4.0.1 + #@schema/desc "operator version" + operator_version: 4.0.1 + #@schema/desc "instance count" + count: 0 + + + +#@schema/desc "AppSSO starter" +sso: + #@schema/desc "tls setting" + tls: + #@schema/desc "enable (recommended to true)" + enabled: false + #@schema/desc "cert name" + certname: cnrs-default-tls + #@schema/desc "cert namespace" + certnamespace: tanzu-system-ingress + #@schema/desc "Enable test users" + testuser_enabled: true + #@schema/desc "Providers" + #@schema/type any=True + providers: [] + #@schema/desc "Redirect URLs" + redirect_urls: + - https://example.com +