Skip to content

Commit

Permalink
Merge pull request #37 from projectsyn/feat/discovery
Browse files Browse the repository at this point in the history
Add option to configure environment variables for API
  • Loading branch information
glrf authored Mar 30, 2022
2 parents e772d0d + 1a7624d commit d26b2f0
Show file tree
Hide file tree
Showing 7 changed files with 71 additions and 24 deletions.
1 change: 1 addition & 0 deletions class/defaults.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ parameters:
users:
- kind: ServiceAccount
name: lieutenant-api-user
env: {}
tenant_rbac: {}
githosts: {}
auth_delegation: {}
37 changes: 17 additions & 20 deletions component/api.jsonnet
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
local com = import 'lib/commodore.libjsonnet';
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';
local inv = kap.inventory();
Expand Down Expand Up @@ -95,6 +96,14 @@ local user_service_accounts = [
if u.kind == 'ServiceAccount'
];

local mergeEnvVars(envs, additional) =
local foldFn =
function(acc, env)
acc { [env.name]: env };
local base = std.foldl(foldFn, envs, {});
local final = std.foldl(foldFn, additional, base);
[ final[k] for k in std.objectFields(final) ];

local objects = [
role,
service_account,
Expand All @@ -120,26 +129,14 @@ local objects = [
if c.name == 'lieutenant-api' then
c {
image: image,
env: [
if e.name == 'STEWARD_IMAGE' then
{
name: 'STEWARD_IMAGE',
value: steward_image,
}
else if e.name == 'LIEUTENANT_INSTANCE' then
{
name: 'LIEUTENANT_INSTANCE',
value: params.api.lieutenant_instance,
}
else
e
for e in super.env + [
{
name: 'DEFAULT_API_SECRET_REF_NAME',
value: params.api.default_githost,
},
]
],
env: mergeEnvVars(
super.env,
com.envList({
STEWARD_IMAGE: steward_image,
LIEUTENANT_INSTANCE: params.api.lieutenant_instance,
DEFAULT_API_SECRET_REF_NAME: params.api.default_githost,
} + params.api.env)
),
}
else
c
Expand Down
21 changes: 21 additions & 0 deletions docs/modules/ROOT/pages/how-tos/vcluster.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -123,3 +123,24 @@ parameters:
syn:
registration_url: https://api.syn.example.com/install/steward.json?token=XRaRSHafWa28afE72F2aCY==
----

=== Commodore configuration auto discovery

Commodore has the feature to discover the OIDC configuration from the Lieutenant API.
That way Commodore user don't need to know the URL of the IDP or the OIDC client ID.

To use this feature you need to pass this information to the Lieutenant API

[code,yaml]
----
parameters:
lieutenant:
api:
ingress:
host: api-prod.syn.example.com
env:
OIDC_CLIENT_ID: lieutenant <1>
OIDC_DISCOVERY_URL=https://id.example.com/auth/realms/main/.well-known/openid-configuration <2>
----
<1> The same client ID used for vcluster
<2> The OIDC discovery endpoint of the IDP
21 changes: 21 additions & 0 deletions docs/modules/ROOT/pages/references/parameters.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,27 @@ default:: ``
The githost to be used by default for new tenants.


== `api.env`

[horizontal]
type:: list
default:: `{}`
example::
+
[source,yaml]
----
env:
OIDC_DISCOVERY_URL:
secretKeyRef:
name: oidc-config
key: discovery
OIDC_CLIENT_ID: lieutenant
----

Additional environment that should be passed to the Lieutenant API.
If a dict is given `valueFrom:` is assumed.


== `api.ingress.host`

[horizontal]
Expand Down
3 changes: 3 additions & 0 deletions tests/defaults.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ parameters:
auth_path: foo
api:
default_githost: gitlab-com
env:
OIDC_DISCOVERY_URL: 'https://idp.test.com/'
OIDC_CLIENT_ID: lieutenant
tenant_rbac:
t-foo-124:
- name: "u-bar-1"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,20 @@ spec:
- command:
- lieutenant-api
env:
- name: DEFAULT_API_SECRET_REF_NAME
value: gitlab-com
- name: LIEUTENANT_INSTANCE
value: lieutenant
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LIEUTENANT_INSTANCE
- name: OIDC_CLIENT_ID
value: lieutenant
- name: OIDC_DISCOVERY_URL
value: https://idp.test.com/
- name: STEWARD_IMAGE
value: docker.io/projectsyn/steward:v0.6.0
- name: DEFAULT_API_SECRET_REF_NAME
value: gitlab-com
image: docker.io/projectsyn/lieutenant-api:v0.9.0
imagePullPolicy: Always
livenessProbe:
Expand Down
2 changes: 1 addition & 1 deletion tests/unit/api_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func Test_APIDeployment(t *testing.T) {
assert.Len(t, deploy.Spec.Template.Spec.Containers, 1)
c := deploy.Spec.Template.Spec.Containers[0]
assert.Equal(t, apiImage, c.Image)
assert.Len(t, c.Env, 4)
assert.Len(t, c.Env, 6)

for _, env := range c.Env {
switch env.Name {
Expand Down

0 comments on commit d26b2f0

Please sign in to comment.