feat: add support for custom registry on 1.27 and prepare v1.27.9 rel…

…ease (#261)

* feat: add support for custom registry on 1.27

* fix: generate docs and schemas

* docs: change upgrade links

* feat: prepare v1.27.9 release

* docs: apply suggestions

* docs(schemas): add description for grafana's advanced configuration

* docs(schema): improve Pomerium documentation

* chore(ci/linting): allow bare URLs in markdown

* chore: add missing new line

* tests: use latest furyctl

* tests: fix 1.27.8 version

---------

Co-authored-by: Ramiro Algozino <ramiro@sighup.io>

.drone.yml

@@ -157,7 +157,7 @@ steps:
     environment:
       CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}
       KUBECONFIG: /drone/src/kubeconfig
-      FURYCTL_VERSION: v0.29.5-rc.2
+      FURYCTL_VERSION: v0.29.7-rc.0
     depends_on: [create Kind cluster]
     commands:
       - export KUBECONFIG=/drone/src/kubeconfig
@@ -196,7 +196,7 @@ volumes:
     host:
       path: /var/run/docker.sock
 ---
-name: e2e-kubernetes-1.27.5-1.27.6-1.27.7-1.27.8
+name: e2e-kubernetes-1.27.5-1.27.6-1.27.7-1.27.8-1.27.9
 kind: pipeline
 type: docker
 
@@ -261,7 +261,7 @@ steps:
     environment:
       CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-upgrades
       KUBECONFIG: /drone/src/kubeconfig-upgrades
-      FURYCTL_VERSION: v0.29.5-rc.2
+      FURYCTL_VERSION: v0.29.7-rc.0
     depends_on: [create Kind cluster]
     commands:
       - export KUBECONFIG=/drone/src/kubeconfig-upgrades
@@ -306,7 +306,7 @@ type: docker
 
 depends_on:
   - e2e-kubernetes-1.27
-  - e2e-kubernetes-1.27.5-1.27.6-1.27.7-1.27.8
+  - e2e-kubernetes-1.27.5-1.27.6-1.27.7-1.27.8-1.27.9
 
 platform:
   os: linux

.rules/.markdown-lint.yml

@@ -32,6 +32,7 @@ MD026:
   punctuation: ".,;:!。，；:"  # List of not allowed
 MD029: false                  # Ordered list item prefix
 MD033: false                  # Allow inline HTML
+MD034: false                  # Allow bare-URLs in Markdown, GitHub and Docusaurus support them
 MD036: false                  # Emphasis used instead of a heading
 MD041: false
 

README.md

@@ -7,8 +7,8 @@
 <p align="center">Kubernetes Fury Distribution (KFD) is a certified battle-tested Kubernetes distribution based purely on upstream Kubernetes.</p>
 <!-- markdownlint-enable MD033 MD045 -->
 
-[![Build Status](http://ci.sighup.io/api/badges/sighupio/fury-distribution/status.svg?ref=refs/tags/v1.27.8)](http://ci.sighup.io/sighupio/fury-distribution)
-[![Release](https://img.shields.io/badge/release-v1.27.8-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest)
+[![Build Status](http://ci.sighup.io/api/badges/sighupio/fury-distribution/status.svg?ref=refs/tags/v1.27.9)](http://ci.sighup.io/sighupio/fury-distribution)
+[![Release](https://img.shields.io/badge/release-v1.27.9-blue?label=FuryDistributionRelease)](https://github.com/sighupio/fury-distribution/releases/latest)
 [![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack)](https://kubernetes.slack.com/archives/C0154HYTAQH)
 [![License](https://img.shields.io/github/license/sighupio/fury-distribution)](https://github.com/sighupio/fury-distribution/blob/main/LICENSE)
 
@@ -132,7 +132,7 @@ Current supported versions of KFD are:
 | :----------------------------------------------------------------------------: | :----------------: |
 | [`1.29.3`](https://github.com/sighupio/fury-distribution/releases/tag/v1.29.3) |      `1.29.x`      |
 | [`1.28.3`](https://github.com/sighupio/fury-distribution/releases/tag/v1.28.3) |      `1.28.x`      |
-| [`1.27.8`](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.8) |      `1.27.x`      |
+| [`1.27.9`](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.9) |      `1.27.x`      |
 
 Check the [compatibility matrix][compatibility-matrix] for additional information about previous releases of the Distribution and the compatibility with `furyctl`.
 

docs/COMPATIBILITY_MATRIX.md

@@ -10,6 +10,7 @@ For a complete list of all KFD releases and their compatibility with Kubernetes
 
 | KFD / Kubernetes Version                                                      | v1.27.X            |
 | ----------------------------------------------------------------------------- | ------------------ |
+| [v1.27.9](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.9) | :white_check_mark: |
 | [v1.27.8](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.8) | :white_check_mark: |
 | [v1.27.7](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.7) | :white_check_mark: |
 | [v1.27.6](https://github.com/sighupio/fury-distribution/releases/tag/v1.27.6) | :white_check_mark: |

docs/releases/v1.27.9.md

@@ -0,0 +1,43 @@
+# Kubernetes Fury Distribution Release v1.27.9
+
+Welcome to KFD release `v1.27.9`.
+
+The distribution is maintained with ❤️ by the team [SIGHUP](https://sighup.io/) it is battle tested in production environments.
+
+## New Features since `v1.27.8`
+
+### Installer Updates
+
+No changes
+
+### Module updates
+
+No changes
+
+## New features 🌟
+
+- **Configurable distribution registry**: Now the registry used by the distribution can be configured. An example configuration:
+
+  ```yaml
+  spec:
+    distribution:
+      common:
+        registry: myregistry.mydomain.ext
+  ```
+
+- **Configurable on-premises registry**: Now the registry used by the on-premises kind can be configured. An example configuration:
+
+  ```yaml
+  spec:
+    kubernetes:
+      advanced:
+        registry: myregistry.mydomain.ext
+  ```
+
+## Fixes 🐞
+
+No changes
+
+## Upgrade procedure
+
+Check the [upgrade docs](https://docs.kubernetesfury.com/docs/upgrades/upgrades) for the detailed procedure.

docs/schemas/ekscluster-kfd-v1alpha2.md

@@ -88,6 +88,7 @@ A Fury Cluster deployed through AWS's Elastic Kubernetes Service
 |:----------------------------------------------------------------|:---------|:---------|
 | [nodeSelector](#specdistributioncommonnodeselector)             | `object` | Optional |
 | [provider](#specdistributioncommonprovider)                     | `object` | Optional |
+| [registry](#specdistributioncommonregistry)                     | `string` | Optional |
 | [relativeVendorPath](#specdistributioncommonrelativevendorpath) | `string` | Optional |
 | [tolerations](#specdistributioncommontolerations)               | `array`  | Optional |
 
@@ -111,6 +112,14 @@ The node selector to use to place the pods for all the KFD modules
 
 The type of the provider, must be EKS if specified
 
+## .spec.distribution.common.registry
+
+### Description
+
+URL of the registry where to pull images from for the Distribution phase. (Default is registry.sighup.io/fury).
+
+NOTE: If plugins are pulling from the default registry, the registry will be replaced for these plugins too.
+
 ## .spec.distribution.common.relativeVendorPath
 
 ### Description
@@ -711,6 +720,10 @@ The value of the toleration
 | [routes](#specdistributionmodulesauthpomeriumroutes)                           | `array`  | Optional |
 | [secrets](#specdistributionmodulesauthpomeriumsecrets)                         | `object` | Required |
 
+### Description
+
+Configuration for Pomerium, an identity-aware reverse proxy used for SSO.
+
 ## .spec.distribution.modules.auth.pomerium.defaultRoutesPolicy
 
 ### Properties
@@ -728,6 +741,10 @@ The value of the toleration
 | [monitoringPrometheus](#specdistributionmodulesauthpomeriumdefaultroutespolicymonitoringprometheus)               | `array` | Optional |
 | [tracingMinioConsole](#specdistributionmodulesauthpomeriumdefaultroutespolicytracingminioconsole)                 | `array` | Optional |
 
+### Description
+
+override default routes for KFD components
+
 ## .spec.distribution.modules.auth.pomerium.defaultRoutesPolicy.gatekeeperPolicyManager
 
 ## .spec.distribution.modules.auth.pomerium.defaultRoutesPolicy.hubbleUi
@@ -807,7 +824,7 @@ DEPRECATED: Use defaultRoutesPolicy and/or routes
 
 ### Description
 
-Routes configuration for pomerium
+Additional routes configuration for Pomerium. Follows Pomerium's route format: https://www.pomerium.com/docs/reference/routes
 
 ## .spec.distribution.modules.auth.pomerium.secrets
 
@@ -820,29 +837,45 @@ Routes configuration for pomerium
 | [SHARED_SECRET](#specdistributionmodulesauthpomeriumsecretsshared_secret)         | `string` | Required |
 | [SIGNING_KEY](#specdistributionmodulesauthpomeriumsecretssigning_key)             | `string` | Required |
 
+### Description
+
+Pomerium needs some user-provided secrets to be fully configured. These secrets should be unique between clusters.
+
 ## .spec.distribution.modules.auth.pomerium.secrets.COOKIE_SECRET
 
 ### Description
 
 Cookie Secret is the secret used to encrypt and sign session cookies.
 
+To generate a random key, run the following command: `head -c32 /dev/urandom | base64`
+
 ## .spec.distribution.modules.auth.pomerium.secrets.IDP_CLIENT_SECRET
 
 ### Description
 
-Identity Provider Client Secret is the OAuth 2.0 Secret Identifier retrieved from your identity provider.
+Identity Provider Client Secret is the OAuth 2.0 Secret Identifier. When auth type is SSO, this value will be the secret used to authenticate Pomerium with Dex, **use a strong random value**.
 
 ## .spec.distribution.modules.auth.pomerium.secrets.SHARED_SECRET
 
 ### Description
 
 Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely.
 
+To generate a key, run the following command: `head -c32 /dev/urandom | base64`
+
 ## .spec.distribution.modules.auth.pomerium.secrets.SIGNING_KEY
 
 ### Description
 
-Signing Key is one or more PEM-encoded private keys used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.
+Signing Key is the base64 representation of one or more PEM-encoded private keys used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.
+
+To generates an P-256 (ES256) signing key:
+
+```bash
+openssl ecparam  -genkey  -name prime256v1  -noout  -out ec_private.pem
+# careful! this will output your private key in terminal
+cat ec_private.pem | base64
+```
 
 ## .spec.distribution.modules.auth.provider
 
@@ -2906,6 +2939,12 @@ The value of the toleration
 
 ## .spec.distribution.modules.monitoring.grafana.basicAuthIngress
 
+### Description
+
+Setting this to true will deploy an additional `grafana-basic-auth` ingress protected with Grafana's basic auth instead of SSO. It's intended use is as a temporary ingress for when there are problems with the SSO login flow.
+
+Notice that by default anonymous access is enabled.
+
 ## .spec.distribution.modules.monitoring.grafana.overrides
 
 ### Properties
@@ -2973,6 +3012,16 @@ The value of the toleration
 
 ## .spec.distribution.modules.monitoring.grafana.usersRoleAttributePath
 
+### Description
+
+[JMESPath](http://jmespath.org/examples.html) expression to retrieve the user's role. Example:
+
+```yaml
+usersRoleAttributePath: "contains(groups[*], 'beta') && 'Admin' || contains(groups[*], 'gamma') && 'Editor' || contains(groups[*], 'delta') && 'Viewer'
+```
+
+More details in [Grafana's documentation](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-role-mapping).
+
 ## .spec.distribution.modules.monitoring.kubeStateMetrics
 
 ### Properties

docs/schemas/kfddistribution-kfd-v1alpha2.md

@@ -80,6 +80,7 @@ An example file can be found [here](https://github.com/sighupio/fury-distributio
 |:----------------------------------------------------------------|:---------|:---------|
 | [nodeSelector](#specdistributioncommonnodeselector)             | `object` | Optional |
 | [provider](#specdistributioncommonprovider)                     | `object` | Optional |
+| [registry](#specdistributioncommonregistry)                     | `string` | Optional |
 | [relativeVendorPath](#specdistributioncommonrelativevendorpath) | `string` | Optional |
 | [tolerations](#specdistributioncommontolerations)               | `array`  | Optional |
 
@@ -103,6 +104,14 @@ The node selector to use to place the pods for all the KFD modules
 
 The type of the provider
 
+## .spec.distribution.common.registry
+
+### Description
+
+URL of the registry where to pull images from for the Distribution phase. (Default is registry.sighup.io/fury).
+
+NOTE: If plugins are pulling from the default registry, the registry will be replaced for the plugin too.
+
 ## .spec.distribution.common.relativeVendorPath
 
 ### Description
@@ -708,6 +717,10 @@ The value of the toleration
 | [routes](#specdistributionmodulesauthpomeriumroutes)                           | `array`  | Optional |
 | [secrets](#specdistributionmodulesauthpomeriumsecrets)                         | `object` | Required |
 
+### Description
+
+Configuration for Pomerium, an identity-aware reverse proxy used for SSO.
+
 ## .spec.distribution.modules.auth.pomerium.defaultRoutesPolicy
 
 ### Properties
@@ -725,6 +738,10 @@ The value of the toleration
 | [monitoringPrometheus](#specdistributionmodulesauthpomeriumdefaultroutespolicymonitoringprometheus)               | `array` | Optional |
 | [tracingMinioConsole](#specdistributionmodulesauthpomeriumdefaultroutespolicytracingminioconsole)                 | `array` | Optional |
 
+### Description
+
+override default routes for KFD components
+
 ## .spec.distribution.modules.auth.pomerium.defaultRoutesPolicy.gatekeeperPolicyManager
 
 ## .spec.distribution.modules.auth.pomerium.defaultRoutesPolicy.hubbleUi
@@ -804,7 +821,7 @@ DEPRECATED: Use defaultRoutesPolicy and/or routes
 
 ### Description
 
-Routes configuration for pomerium
+Additional routes configuration for Pomerium. Follows Pomerium's route format: https://www.pomerium.com/docs/reference/routes
 
 ## .spec.distribution.modules.auth.pomerium.secrets
 
@@ -817,29 +834,45 @@ Routes configuration for pomerium
 | [SHARED_SECRET](#specdistributionmodulesauthpomeriumsecretsshared_secret)         | `string` | Required |
 | [SIGNING_KEY](#specdistributionmodulesauthpomeriumsecretssigning_key)             | `string` | Required |
 
+### Description
+
+Pomerium needs some user-provided secrets to be fully configured. These secrets should be unique between clusters.
+
 ## .spec.distribution.modules.auth.pomerium.secrets.COOKIE_SECRET
 
 ### Description
 
 Cookie Secret is the secret used to encrypt and sign session cookies.
 
+To generate a random key, run the following command: `head -c32 /dev/urandom | base64`
+
 ## .spec.distribution.modules.auth.pomerium.secrets.IDP_CLIENT_SECRET
 
 ### Description
 
-Identity Provider Client Secret is the OAuth 2.0 Secret Identifier retrieved from your identity provider.
+Identity Provider Client Secret is the OAuth 2.0 Secret Identifier. When auth type is SSO, this value will be the secret used to authenticate Pomerium with Dex, **use a strong random value**.
 
 ## .spec.distribution.modules.auth.pomerium.secrets.SHARED_SECRET
 
 ### Description
 
 Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely.
 
+To generate a key, run the following command: `head -c32 /dev/urandom | base64`
+
 ## .spec.distribution.modules.auth.pomerium.secrets.SIGNING_KEY
 
 ### Description
 
-Signing Key is one or more PEM-encoded private keys used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.
+Signing Key is the base64 representation of one or more PEM-encoded private keys used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.
+
+To generates an P-256 (ES256) signing key:
+
+```bash
+openssl ecparam  -genkey  -name prime256v1  -noout  -out ec_private.pem
+# careful! this will output your private key in terminal
+cat ec_private.pem | base64
+```
 
 ## .spec.distribution.modules.auth.provider
 
@@ -2381,6 +2414,12 @@ The value of the toleration
 
 ## .spec.distribution.modules.monitoring.grafana.basicAuthIngress
 
+### Description
+
+Setting this to true will deploy an additional `grafana-basic-auth` ingress protected with Grafana's basic auth instead of SSO. It's intended use is as a temporary ingress for when there are problems with the SSO login flow.
+
+Notice that by default anonymous access is enabled.
+
 ## .spec.distribution.modules.monitoring.grafana.overrides
 
 ### Properties
@@ -2448,6 +2487,16 @@ The value of the toleration
 
 ## .spec.distribution.modules.monitoring.grafana.usersRoleAttributePath
 
+### Description
+
+[JMESPath](http://jmespath.org/examples.html) expression to retrieve the user's role. Example:
+
+```yaml
+usersRoleAttributePath: "contains(groups[*], 'beta') && 'Admin' || contains(groups[*], 'gamma') && 'Editor' || contains(groups[*], 'delta') && 'Viewer'
+```
+
+More details in [Grafana's documentation](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-role-mapping).
+
 ## .spec.distribution.modules.monitoring.kubeStateMetrics
 
 ### Properties