Merge pull request #30 from vmware-tanzu-labs/develop

v1.4.2

Makefile

@@ -5,7 +5,7 @@
 
 # image build vars
 IMAGE ?= projects.registry.vmware.com/rpk/rpk
-IMAGE_VERSION ?= v1.4.1
+IMAGE_VERSION ?= v1.4.2
 IMAGE_BASE ?= projects.registry.vmware.com/rpk/rpk-base
 IMAGE_BASE_VERSION ?= v1.4.0
 

README.md

@@ -59,28 +59,28 @@ paths seen and expect our approaches to **evolve over time**.
 
 Kubernetes user needs fit on a spectrum, typically landing in
 one of 3 personas. Each persona envisions a slightly different path to
-production. We often identify these personas as bronze, silver, and gold.
+production. We often identify these personas as foundational, advanced, and opinionated.
 
-![Bronze-Silver-Gold](docs/images/bronze-silver-gold.png)
+![Personas](docs/images/personas.png)
 
-* **Bronze**: I want an enterprise-grade Kubernetes distribution. This persona
+* **Foundational**: I want an enterprise-grade Kubernetes distribution. This persona
 is largely interested in having the foundation poured but is not yet ready to
-build the house. In our experience, the path to production with bronze is rarely
-achieved without moving on to a silver or gold aspiration. However, the bronze
-intention may be right for the customer at the time, especially when their
+build the house. In our experience, the path to production with the foundational persona is rarely
+achieved without moving on to one of the other below aspirations. However, the intent
+behind the implementation selection may be right for the customer at the time, especially when their
 production intentions are largely non-determined.
 
-* **Silver**: I want to **create** a viable place to run applications in production
+* **Advanced**: I want to **create** a viable place to run applications in production
 with Kubernetes as the foundation. This persona not only wants to pour the
 foundation, but also help design, build, and operationalize an application
 platform on top - ensuring they end up with a habitable place for
 applications to live (i.e., running in production).
 
-* **Gold**: I want to **deploy** a fully-baked application platform that is
-ready for production, with Kubernetes as the foundation. This persona wants to
+* **Opinionated**: I want to **deploy** a fully-baked application platform that is
+ready for production. This persona wants to
 adopt hardened opinions of a vendor - similar to an established housing developer,
 they can have a quality, habitable, home built. This lowers the effort seen in
-the Silver persona around architecting / building, although some extension may
+the Advanced persona around architecting / building, although some extension may
 be involved.
 
 ## Is RPK a VMware Product?

roles/components/core/identity/pre-flight/tasks/main.yaml

@@ -1,27 +1,2 @@
 # Copyright 2006-2021 VMware, Inc.
 # SPDX-License-Identifier: MIT
----
-#
-# DNS
-#
-- name: "get the ingress ip"
-  import_role:
-    name: "common/ingress-ip"
-
-- name: "ensure dns resolvability for identity module"
-  include_role:
-    name: "common/etc-hosts"
-  vars:
-    ip:   "{{ ingress_ip }}"
-    fqdn: "{{ item }}"
-  with_items:
-    - "{{ tanzu_identity.dex.dns }}"
-    - "{{ tanzu_identity.gangway.dns }}"
-
-#
-# RETRIEVE CLUSTER INFO
-#
-- name: "retrieve cluster info"
-  import_role:
-    name: "common/cluster-info"
-  when: tanzu_apiserver_url is not defined

roles/components/core/identity/tasks/main.yaml

@@ -18,6 +18,31 @@
     namespace_template_file: "tanzu-namespace.yaml.j2"
     namespace_file:          "{{ tanzu_identity.staging_dir }}/tanzu-namespace.yaml"
 
+#
+# DNS
+#
+- name: "get the ingress ip"
+  import_role:
+    name: "common/ingress-ip"
+
+- name: "ensure dns resolvability for identity module"
+  include_role:
+    name: "common/etc-hosts"
+  vars:
+    ip:   "{{ ingress_ip }}"
+    fqdn: "{{ item }}"
+  with_items:
+    - "{{ tanzu_identity.dex.dns }}"
+    - "{{ tanzu_identity.gangway.dns }}"
+
+#
+# RETRIEVE CLUSTER INFO
+#
+- name: "retrieve cluster info"
+  import_role:
+    name: "common/cluster-info"
+  when: tanzu_apiserver_url is not defined
+
 #
 # LDAP
 #
@@ -29,6 +54,14 @@
     manifest_template:    "psp-ldap.yaml.j2"
     manifest_staging_dir: "{{ tanzu_identity.staging_dir }}"
 
+- name: "ensure ldap rbac exists"
+  import_role:
+    name: "common/manifest-file-with-wait"
+  vars:
+    manifest_description: "ldap rbac"
+    manifest_template:    "rbac-ldap.yaml.j2"
+    manifest_staging_dir: "{{ tanzu_identity.staging_dir }}"
+
 - name: "ensure ldap config exists"
   import_role:
     name: "common/manifest-file-with-wait"

roles/components/core/identity/templates/config-ldap.yaml.j2

@@ -1,19 +1,6 @@
 # Copyright 2006-2021 VMware, Inc.
 # SPDX-License-Identifier: MIT
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: tanzu-admin
-  namespace: {{ tanzu_identity.namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: User
-    name: {{ tanzu_identity.ldap.admin_user }}
----
 apiVersion: v1
 kind: ConfigMap
 metadata:

roles/components/core/identity/templates/job-kube-apiserver.yaml.j2

@@ -7,10 +7,11 @@ metadata:
   name: kube-apiserver-config
   namespace: "{{ tanzu_identity.namespace }}"
 data:
+  UPDATE_K8S_CA: "{{ ((tanzu_security.actions.update_k8s_ca | bool) and (('letsencrypt-stage' in tanzu_security.tls_providers) or ('ca' in tanzu_security.tls_providers) or ('wildcard' in tanzu_security.tls_providers))) | string | lower }}"
   kube-apiserver-config-values.yaml: |
     #@data/values
     ---
-    UPDATE_K8S_CA: "{{ ((tanzu_security.actions.update_k8s_ca | bool) and (('letsencrypt-stage' in tanzu_security.tls_providers) or ('ca' in tanzu_security.tls_providers) or ('wildcard' in tanzu_security.tls_providers))) | string | lower }}"
+    UPDATE_K8S_CA: ""
   kube-apiserver-config-overlay.yaml: |
     #@ load("@ytt:overlay", "overlay")
     #@ load("@ytt:data", "data")
@@ -66,13 +67,19 @@ spec:
       containers:
       - image: gerritk/ytt:v0.30.0
         name: kube-apiserver-config
+        env:
+        - name: UPDATE_K8S_CA
+          valueFrom:
+            configMapKeyRef:
+              name: kube-apiserver-config
+              key: UPDATE_K8S_CA
         command:
           - "/bin/sh"
         args:
           - "-c"
           - |
             cat /etc/kubernetes/manifests/kube-apiserver.yaml > /etc/kubernetes/backup/kube-apiserver.yaml.orig
-            /usr/bin/ytt -f /etc/kubernetes/manifests/kube-apiserver.yaml -f /etc/kubernetes/kube-apiserver-config-values.yaml -f /etc/kubernetes/kube-apiserver-config-overlay.yaml > /etc/kubernetes/backup/kube-apiserver.yaml.new
+            /usr/bin/ytt --data-values-env UPDATE_K8S_CA -f /etc/kubernetes/manifests/kube-apiserver.yaml -f /etc/kubernetes/kube-apiserver-config-values.yaml -f /etc/kubernetes/kube-apiserver-config-overlay.yaml > /etc/kubernetes/backup/kube-apiserver.yaml.new
             if [ "$(cat /etc/kubernetes/backup/kube-apiserver.yaml.new)" != "" ]; then
               cat /etc/kubernetes/backup/kube-apiserver.yaml.new > /etc/kubernetes/manifests/kube-apiserver.yaml
             else

roles/components/core/identity/templates/rbac-ldap.yaml.j2

@@ -0,0 +1,15 @@
+# Copyright 2006-2021 VMware, Inc.
+# SPDX-License-Identifier: MIT
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: tanzu-admin
+  namespace: {{ tanzu_identity.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: User
+    name: {{ tanzu_identity.ldap.admin_user }}