diff --git a/charts/zrok/Chart.yaml b/charts/zrok/Chart.yaml index 838f0a94..962502e7 100644 --- a/charts/zrok/Chart.yaml +++ b/charts/zrok/Chart.yaml @@ -15,13 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.4 +version: 0.2.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 0.4.30 +appVersion: 0.4.39 dependencies: [] # removing this dependency until it becomes clear that it makes sense as a subchart diff --git a/charts/zrok/README.md b/charts/zrok/README.md index 69932aec..e86c8360 100644 --- a/charts/zrok/README.md +++ b/charts/zrok/README.md @@ -2,7 +2,7 @@ # zrok -![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.30](https://img.shields.io/badge/AppVersion-0.4.30-informational?style=flat-square) +![Version: 0.2.5](https://img.shields.io/badge/Version-0.2.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.39](https://img.shields.io/badge/AppVersion-0.4.39-informational?style=flat-square) Run the zrok controller and zrok frontend components as a K8s deployment diff --git a/charts/zrok/templates/controller-secrets-configmap.yaml b/charts/zrok/templates/controller-secrets-configmap.yaml index f2ba6825..91ca7656 100644 --- a/charts/zrok/templates/controller-secrets-configmap.yaml +++ b/charts/zrok/templates/controller-secrets-configmap.yaml @@ -5,26 +5,6 @@ # their enclosing conditional statement {{- $influxAdminToken := randAlphaNum 32 | b64enc }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "zrok.fullname" . }}-ziggy-account-password - labels: - {{- include "zrok.labelsController" . | nindent 8 }} - annotations: - # "helm.sh/resource-policy": "keep" -type: Opaque -data: - # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result - {{- $ziggySecretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s-%s" (include "zrok.fullname" . ) "ziggy-account-password")) | default dict }} - {{- $ziggySecretData := (get $ziggySecretObj "data") | default dict }} - # set $zrokAdminToken to existing secret data or generate a random one when not exists - {{- $ziggyPassword := (get $ziggySecretData "password") | default (randAlphaNum 32 | b64enc) }} - # set the secret values.. - username: {{ printf "ziggy@%s" .Values.dnsZone | b64enc | quote }} - password: {{ $ziggyPassword | quote }} - --- apiVersion: v1 kind: Secret @@ -99,24 +79,6 @@ data: # uses mounted zrok config YAML zrok admin bootstrap /etc/zrok/ctrl.yaml - # granted permission to read secrets in namespace by SA managed by this chart - if kubectl -n {{ .Release.Namespace }} get secret \ - {{ include "zrok.fullname" . }}-ziggy-account-token &>/dev/null; then - echo "INFO: ziggy account enable token secret exists" - else - echo "INFO: ziggy account enable token secret does not exist, creating secret" - # create a default user account named "ziggy" and save the enable token in a Secret resource - zrok admin create account \ - /etc/zrok/ctrl.yaml \ - ziggy@{{ .Values.dnsZone }} \ - {{ $ziggyPassword | b64dec | quote }} \ - | xargs -I TOKEN kubectl -n {{ .Release.Namespace }} create secret generic \ - {{ include "zrok.fullname" . }}-ziggy-account-token \ - --from-literal=token=TOKEN - # xargs -r is NOT used here because this command must fail loudly if the account token was not created - - fi - # granted permission to read secrets in namespace by SA managed by this chart if kubectl -n {{ .Release.Namespace }} get secret \ {{ include "zrok.fullname" . }}-frontend-identity &>/dev/null; then @@ -180,7 +142,7 @@ data: # configuration, the software will expect this field to be incremented. This protects you against invalid configuration # versions. # - v: 3 + v: 4 admin: # The `secrets` array contains a list of strings that represent valid `ZROK_ADMIN_TOKEN` values to be used for diff --git a/charts/zrok/templates/frontend-deployment.yaml b/charts/zrok/templates/frontend-deployment.yaml index aa2ea0a5..a6102036 100644 --- a/charts/zrok/templates/frontend-deployment.yaml +++ b/charts/zrok/templates/frontend-deployment.yaml @@ -83,11 +83,6 @@ spec: # needs to read the frontend ziti identity secret which is mounted in $HOME/.zrok/identities args: ["access", "public", "/etc/zrok/frontend.yaml"] env: - - name: ZROK_ADMIN_TOKEN - valueFrom: - secretKeyRef: - name: {{ include "zrok.fullname" . }}-admin-secret - key: admin-token - name: ZROK_API_ENDPOINT value: http://{{ include "zrok.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.controller.service.advertisedPort }} - name: HOME diff --git a/charts/zrok/templates/frontend-configmap.yaml b/charts/zrok/templates/frontend-secrets-configmap.yaml similarity index 76% rename from charts/zrok/templates/frontend-configmap.yaml rename to charts/zrok/templates/frontend-secrets-configmap.yaml index 8a26af6f..f69c0ce3 100644 --- a/charts/zrok/templates/frontend-configmap.yaml +++ b/charts/zrok/templates/frontend-secrets-configmap.yaml @@ -1,3 +1,23 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "zrok.fullname" . }}-ziggy-account-password + labels: + {{- include "zrok.labelsController" . | nindent 8 }} + annotations: + # "helm.sh/resource-policy": "keep" +type: Opaque +data: + # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result + {{- $ziggySecretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s-%s" (include "zrok.fullname" . ) "ziggy-account-password")) | default dict }} + {{- $ziggySecretData := (get $ziggySecretObj "data") | default dict }} + # set $zrokAdminToken to existing secret data or generate a random one when not exists + {{- $ziggyPassword := (get $ziggySecretData "password") | default (randAlphaNum 32 | b64enc) }} + # set the secret values.. + username: {{ printf "ziggy@%s" .Values.dnsZone | b64enc | quote }} + password: {{ $ziggyPassword | quote }} + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +32,7 @@ data: set -o errexit set -o nounset set -o pipefail - # set -o xtrace # FIXME remove this - - # while true;do sleep 1;done + # set -o xtrace # mounted script from frontend configmap zitiLogin @@ -116,7 +134,22 @@ data: "{{ .Values.frontend.ingress.scheme }}://{token}.{{ .Values.dnsZone }}" fi - # while true;do sleep 1;done + # granted permission to read secrets in namespace by SA managed by this chart + if kubectl -n {{ .Release.Namespace }} get secret \ + {{ include "zrok.fullname" . }}-ziggy-account-token &>/dev/null; then + echo "INFO: ziggy account enable token secret exists" + else + echo "INFO: ziggy account enable token secret does not exist, creating secret" + # create a default user account named "ziggy" and save the enable token in a Secret resource + zrok admin create account \ + ziggy@{{ .Values.dnsZone }} \ + {{ $ziggyPassword | b64dec | quote }} \ + | xargs -I TOKEN kubectl -n {{ .Release.Namespace }} create secret generic \ + {{ include "zrok.fullname" . }}-ziggy-account-token \ + --from-literal=token=TOKEN + # xargs -r is NOT used here because this command must fail loudly if the account token was not created + + fi frontend.yaml: |-