This patch adds the ceph-csi-rbd helm chart component to the metal
cluster type. The purpose is to enable PersistentVolumeClaims on ois
metal clusters.
Cloud clusters like GKE and EKS are expected to skip rendering the metal
type.
Helm values are handled with CUE. The ceph secret is managed as an
ExternalSecret resource, appended to the rendered output by cue and the
holos cli.
Use:
❯ holos render --cluster-name=k2 ~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/metal/...
2:45PM INF render.go:40 rendered prod-metal-ceph version=0.47.0 status=ok action=rendered name=prod-metal-ceph
This patch validates secrets are synced from the provisioner cluster to
a workload cluster. This verifies the eso-creds-refresher job, external
secrets operator, etc...
Refer to
0ae58858f5
for the corresponding commit on the k2 cluster.
This patch prints out the cue file and line numbers when a cue error
contains multiple go errors to unwrap.
For example:
```
❯ holos render --cluster-name=k2 ~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/workload/...
3:31PM ERR could not execute version=0.46.0 err="could not decode: content: error in call to encoding/yaml.MarshalStream: incomplete value string (and 1 more errors)" loc=builder.go:212
content: error in call to encoding/yaml.MarshalStream: incomplete value string:
/home/jeff/workspace/holos-run/holos/docs/examples/schema.cue:199:11
/home/jeff/workspace/holos-run/holos/docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue:83:14
```
This patch adds the `eso-creds-refresher` CronJob which executes every 8
hours in the holos-system namespace of each workload cluster. The job
creates Secrets with a `token` field representing the id token
credential for a SecretStore to use when synchronizing secrets to and
from the provisioner cluster.
Service accounts in the provisioner cluster are selected with
selector=holos.run/job.name=eso-creds-refresher.
Each selected service account has a token issued with a 12 hour
expiration ttl and is stored in a Secret matching the service account
name in the same namespace in the workload cluster.
The job takes about 25 seconds to run once the image is cached on the
node.
Without this patch the Job on a workload cluster fails with:
```
+ kubectl get serviceaccount -A --selector=holos.run/job.name=eso-creds-refresher --output=json
Error from server (Forbidden): serviceaccounts is forbidden: User
"eso-creds-refresher@holos-run.iam.gserviceaccount.com" cannot list
resource "serviceaccounts" in API group "" at the cluster scope:
requires one of ["container.serviceAccounts.list"] permission(s).
```
This label is intended for the Job to select which service accounts to
issue tokens for. For example:
kubectl get serviceaccount -A --selector=holos.run/job.name=eso-creds-refresher --output=json
Without this patch it is difficult to navigate the structure of the
configuration of the api objects because they're positional elements in
a list.
This patch extracts the configuration of the eso-reader and eso-writer
ServiceAccount, Role, and RoleBinding structs into a definition that
behaves like a function. The individual objects are fields of the
struct instead of positional elements in a list.
This patch adds a ConfigMap and Pod to the eso-creds-refresher
component. The Pod executes the gcloud container, impersonates the
eso-creds-refresher iam service account using workload identity, then
authenticates to the remote provisioner cluster.
This is the foundation for a script to automatically create Secret API
objects in a workload cluster which have a kubernetes service account
token ESO SecretStore resources can use to fetch secrets from the
provisioner cluster.
Once we have that script in place we can turn this Pod into a Job and
replace Vault.
The provisioner cluster is a worker-less autopilot cluster that provides
secrets to other clusters in the platform. The `eso-creds-refresher`
Job in the holos-system namespace of each other cluster refreshes
service account tokens for SecretStores.
This patch adds the IAM structure for the Job implemented by Namespace,
ServiceAccount, Role, and RoleBinding api objects.
This patch adds a holos component to deploy a SecretStore and
ExternalSecret in the default namespace to validate authentication with
Vault is configured correctly.
The default ksa is used to authenticate to vault.
This patch makes it possible to build all components for a platform with
a single command:
❯ holos render ~/workspace/holos-run/holos/docs/examples/platforms/reference/...
2:51PM INF render.go:39 rendered prod-secrets-eso version=0.42.0 status=ok action=rendered name=prod-secrets-eso
2:51PM INF render.go:39 rendered prod-secrets-namespaces version=0.42.0 status=ok action=rendered name=prod-secrets-namespaces
Note the `reference/...` path base name. Without this patch cue tried
to build an intermediate directory instance.
In helm mode, cue is responsible for producing the values.yaml file.
Holos is responsible for taking the values produced by cue and providing
them to helm to produce rendered kubernetes api objects.
This patch adds intermediate data structures to hold the output from
cue: the helm values, the flux kustomization, and the helm charts to
provide the helm values to.
Holos takes this information and orchestrates running helm template to
render the api objects and write them to the file system for git ops.
Content seems more appropriate of a field name, and it makes sense since
we are likely to output other formats than yaml, probably json too. We
need to discriminate on content type, so also add a contentType field.
Semantics are meant to be the same has the http content type header, but
simple.
The intent is for all of the output formats to share a common `name`
field, useful to construct a file name to write rendered output to for
git ops.
This is equivalent to the OrderedComponent name specified in the
platform.yaml in the prototype.
Leaf directories can output different kinds of things:
1. Platform specification. A list of components to manage.
2. Kubernetes API Objects suitable for kubectl apply -f- and friends.
3. Helm values to provide to a helm chart to render API objects.
This patch adds an output schema and a kind discriminator so the holos
cli can figure out what type of output it's working with. This makes it
possible to have a single `holos build <directory>` command that does
the right thing.
This patch adds the first platform component built with CUE. The intent
is to give a concrete use case for migrating the platform.yaml spec over
to the new approach with CUE.
This component is a simple namespace for the external secrets operator.
The majority of this patch is in setting up the structure of the CUE
module. The component is _not_ wired up to the holos cli yet, instead
it's built directly with cue using:
cd ./docs/examples/
cue export --out text -t cluster=core1 -e out ./platforms/reference/projects/secrets/components/namespaces/...
The command produces the same output as the was previously produced
using helm templates [here][1].
[1]: https://github.com/holos-run/holos-infra/blob/v0.4.0/deploy/clusters/core1/components/prod-secrets-namespaces/prod-secrets-namespaces.nofmt.yaml
