Final update

manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/hacks/change-pvc-orphan-delete-strategy-secret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pvc-owned-for-deletion-strategy-overlay
+stringData:
+  #@yaml/text-templated-strings
+  pvc-owned-for-deletion-strategy.yaml: |
+    #@ load("@ytt:overlay", "overlay")
+    #@overlay/match by=overlay.subset({"kind": "PersistentVolumeClaim"}), expects="0+"
+    ---
+    #@overlay/match missing_ok=True
+    metadata:
+      #@overlay/match missing_ok=True
+      #@overlay/match-child-defaults missing_ok=True
+      annotations:
+        #@overlay/match missing_ok=True
+        kapp.k14s.io/owned-for-deletion: ""

manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/hacks/remove-pvc-orphan-delete-strategy.yaml → manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/hacks/change-pvc-orphan-delete-strategy.yaml

@@ -3,10 +3,10 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: remove-pvc-orphan-delete-strategy
+  name: change-pvc-orphan-delete-strategy
   namespace: #@ data.values.tp.namespace
 stringData:
-  remove-pvc-orphan-delete-strategy.yaml: |
+  change-pvc-orphan-delete-strategy.yaml: |
     #! By default TP will automatically put PVCs into orphan status, but for PoC this will lead to PVC not being deleted after uninstall
     #@ load("@ytt:overlay", "overlay")
     
@@ -15,6 +15,6 @@ stringData:
     metadata:
       #@overlay/match missing_ok=True
       annotations:
-        #@overlay/remove
-        ext.packaging.carvel.dev/ytt-paths-from-secret-name.5: pvc-orphan-delete-strategy-overlay
+        #@overlay/match missing_ok=True
+        ext.packaging.carvel.dev/ytt-paths-from-secret-name.5: pvc-owned-for-deletion-strategy-overlay
 

manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/openldap/openldap.yaml

@@ -59,7 +59,7 @@ spec:
         - name: LDAP_TLS_CA_FILE
           value: /tls/ca.crt
         #@ end
-        image: index.docker.io/bitnami/openldap@sha256:8e3f28db7a8c05d7db99ec688b8ca1044f0deaf8f98ea5b1f71c42276e3c1583
+        image: #@ data.values.openldap.image
         imagePullPolicy: Always
         name: openldap
         ports:

manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/pkgr/tp-install.yaml

@@ -71,16 +71,16 @@ metadata:
   name: sm
   namespace: #@ data.values.tp.namespace
   annotations:
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: add-limit-to-clickhouse
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.1: make-tmc-xsmall
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.2: reduce-kafka-replica
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.3: reduce-redis-replica
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.4: make-ensemble-read-single-kafka
-    #@ if not data.values.tp.keep_pvc:
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.5: remove-pvc-orphan-delete-strategy
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: tp-values
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.1: tp-values-generated-secrets
+    #@ if data.values.tp.hack_enabled:
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.2: add-limit-to-clickhouse
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.3: make-tmc-xsmall
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.4: reduce-kafka-replica
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.5: reduce-redis-replica
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.6: make-ensemble-read-single-kafka
+    ext.packaging.carvel.dev/ytt-paths-from-secret-name.7: change-pvc-orphan-delete-strategy
     #@ end
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.6: tp-values
-    ext.packaging.carvel.dev/ytt-paths-from-secret-name.7: tp-values-generated-secrets
     ext.packaging.carvel.dev/fetch-0-secret-name: registrysecret
     kapp.k14s.io/change-rule: "upsert after upserting pkgr"
 spec:

manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/secretgen/rsa.yaml

@@ -8,14 +8,92 @@ metadata:
   annotations:
     kapp.k14s.io/change-group: "secrettemplate"
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: rsa-role
+  namespace: #@ data.values.tp.namespace
+  annotations:
+    kapp.k14s.io/change-group: "secrettemplate"
+rules:
+  - apiGroups: ['']
+    resources: ['secret']
+    verbs: ['create', 'update']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: rsa-role-bindings
+  annotations:
+    kapp.k14s.io/change-group: "secrettemplate"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: rsa-role
+subjects:
+  - kind: ServiceAccount
+    name: rsa-sa
+    namespace: #@ data.values.tp.namespace
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rsa-sa
+  namespace: #@ data.values.tp.namespace
+  annotations:
+    kapp.k14s.io/change-group: "secrettemplate"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rsa-create
+  namespace: #@ data.values.tp.namespace
+  annotations:
+    kapp.k14s.io/change-group: "secrettemplate"
+spec:
+  template:
+    spec:
+      serviceAccountName: rsa-sa
+      restartPolicy: Never
+      volumes:
+        - name: data
+          emptyDir: {}
+      containers:
+        - name: openssl
+          image: #@ data.values.tp.rsa_builer.openssl_image
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              openssl genrsa -out /data/key.pem 2048 ; 
+              openssl rsa -in /data/key.pem -pubout -out /data/pub.pem ;
+              chmod 777 /data/*
+          volumeMounts:
+            - mountPath: /data
+              name: data
+        - name: kubectl
+          image: #@ data.values.tp.rsa_builer.kubectl_image
+          command:
+            - kubectl
+          args:
+            - create
+            - secret
+            - generic
+            - rsa-key
+            - --from-file=key.pem=/data/key.pem
+            - --from-file=pub.pem=/data/pub.pem
+          volumeMounts:
+            - mountPath: /data
+              name: data
+---
 apiVersion: v1
 kind: Secret
 metadata:
   name: rsa-key
   namespace: #@ data.values.tp.namespace
   annotations:
-    kapp.k14s.io/change-group: "secrettemplate"
-type: Opaque
-stringData:
-  pub.pem: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveA/k9CPio5XQf1zbvWG\nIAjZlC364oH2Va3EzL6CKdHsmb+OQUqSBNZxcRo2F1kEJOjvZsZWQ2xzoZPohueT\nr0hrie/FItRzzjC3dwhGeNe1ZNW7dxWS4OrdQAkWijKlbTVa9kcJToiKUH6y1Wzk\n+46KZ1qpv8PH7DHH2usCA2CNnDyPaV9ZElsG2KMbmW3dGWZDi3c405iKkUZm5gdQ\nq1nDvcaR1Nqxr9NuSHrvPLcwB6Jnr46/93m33v5p0CYCR6BZFbPlm/ejOuZSQPYY\nYVxzdl1zAdVROEA8H+v7BWRmI6vd05EyNMZwbB5EYqnXws6OoIDOHS7mJV9az6N7\n0wIDAQAB\n-----END PUBLIC KEY-----\n"
-  key.pem: "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC94D+T0I+KjldB\n/XNu9YYgCNmULfrigfZVrcTMvoIp0eyZv45BSpIE1nFxGjYXWQQk6O9mxlZDbHOh\nk+iG55OvSGuJ78Ui1HPOMLd3CEZ417Vk1bt3FZLg6t1ACRaKMqVtNVr2RwlOiIpQ\nfrLVbOT7jopnWqm/w8fsMcfa6wIDYI2cPI9pX1kSWwbYoxuZbd0ZZkOLdzjTmIqR\nRmbmB1CrWcO9xpHU2rGv025Ieu88tzAHomevjr/3ebfe/mnQJgJHoFkVs+Wb96M6\n5lJA9hhhXHN2XXMB1VE4QDwf6/sFZGYjq93TkTI0xnBsHkRiqdfCzo6ggM4dLuYl\nX1rPo3vTAgMBAAECggEAMQboI6ikh6g9S6K/3ZSz7y2Z0LMWpsnb6z+VIzDFtzqn\nFwPpHV692VXtsMCN2vV3Jnim6CiqOXqVWNEyJzNAZPAUJGeuxVGKHWFi3e9bEvTP\nt5ugbh058a1zN4ehNEnjgRFXzWOGOarz29j7IDSf43xorEsyrXtF8ezgp9wqhuhD\niOo9aW2QySc5sBZ4ZnPeCSf0C/Dq/f7jQafknPlVufFt5VvAkWQFV4dCgWaZ9OrJ\nmPcCKBwHPmJ20q1luodJ3OQKKvnNlBoxkeAwQBlmjtBrdx0gTbrD46JRl6EmmFab\nU6hEl2d63rIJutNWfHNRFnq+WcJq6TY9XvboXhgfcQKBgQDgSgA5QW0U0Cu+dsYq\nZgHa1B8oPpSPzYnzFC/Vfpcm32zSRBaA4lGCOcRDXE4hU2z1hPyBZ4TXWKS0s/6L\nNLjNz76XbdoFG10mN71L8IqAX/PmZ2kqFKzrhrZxqgyFbutCrDMlgkvczranmJdK\notdHI6SuOy5+LLwmmX+5xl8u5QKBgQDYuLAAiQZLDix0x2bAxswQ1riFG9r2Azb3\nF0H7YR2Fskflitk3U1kBieX88/blo7/T4lcQgKVQ0UYnPyWfnUHAMKEc1VO2HU4g\nPrVprArLGv2XFJKvsdbFY4Dv+rADh1On5TAKSYYrR22p85z7geP4KZbohvSBzrmh\nXMpO72ucVwKBgFx8Jzt0zxYWAPO45l31Ui556Z8erwPdLVUerdrLKGjPGIBbsyvS\nJuocB+H+3fi//d3/yF9T4GMsGj6pOf0M8Gdtkpm+ongYoIBx24zE01e8OUZ4vdSs\nUeGM2w5joGYlJr2HZE/DOqUCWC8jrL8KBts+x1lQ7gr5R1xjT1e7hORBAoGBAMCM\nXnsrQvceUaszmnx+Y8I2M9y3ofPfaU9hT5M7dpJZkn1DvrfkCnlOfpMeYmcm9IEZ\nYMddtQM32/90oEXO3yMVUZ+ffW+ZW9dUP7PyUeigQ1yev7Dv7WSUgnM0pHuOGWpb\nOzJ4nocHQEy2D+x5PAU5VkWj2csW02ClY218VHyjAoGBAL5pGhJ9vu4kmNQbhyzQ\nasIjgCkO6aQNRe66DG+OzO/9V1FJ4GviWLW/Uoh1J78tU4FFUZf2JiCVBcMLYhKM\nJiab8Ly26ieZKLPA4oGIPfNDrNS0SLwBkM37jcL0AeFu4JidABpaTKvJhkqCaUye\n9vMB+b4alzC5OS2XAsP/nJE0\n-----END PRIVATE KEY-----\n"
+    kapp,k14s.io/owned-for-deletion: ""
+    kapp.k14s.io/exists: ""
+    kapp.k14s.io/change-group: "secret"
+    kapp.k14s.io/change-rule: "upsert after upserting secrettemplate"

manifests/tpk8s-opinionated.tanzu.japan.com/10.0.0/values.yaml

@@ -11,6 +11,7 @@ certmanager:
 
 openldap:
   enabled: true
+  image: index.docker.io/bitnami/openldap@sha256:8e3f28db7a8c05d7db99ec688b8ca1044f0deaf8f98ea5b1f71c42276e3c1583
   ssl: false
   rootdn: dc=tanzu,dc=net
   adminpassword: adminpassword
@@ -59,14 +60,18 @@ tp:
   profile: evaluation
   version: '10.0.0-oct-2024-rc.533-vc0bb325'
   storage_class: tkg-ds
-  keep_pvc: false
+  hack_enabled: true
+  salt_disabled: true
+  vcf_disabled: true
+  ldap_enabled: true
+  rsa_builder:
+    openssl_image: index.docker.io/alpine/openssl@sha256:7f9e867564f38e409098eb6438e982bcc26b805942ce6524ad770534c0afdafb
+    kubectl_image: index.docker.io/bitnami/kubectl@sha256:671516f53dd61f1e7d1dc178ba30d47faecc6caaa1e8c2a0f53d3d939f11c077
   ingress:
     host: tp.example.com
     self_signed_cert: true
     certificate: ""
     privateKey: ""
-  salt_disabled: true
-  vcf_disabled: true
   imageRegistry:
     server: harbor.example.com
     username: admin
@@ -75,5 +80,4 @@ tp:
   organization:
     name: default
   namespace: tanzusm
-  ldap_enabled: true
   oauthProviders: [{}]