Merge pull request #87 from mjudeikis/upstream.align

✨  Nit fixes for sharded example

charts/cache/values.yaml

@@ -4,6 +4,7 @@ cache:
   image: ghcr.io/kcp-dev/kcp
   # set this to override the image tag used for kcp (determined by chart appVersion by default).
   tag: ""
+  v: "3"
   pullPolicy: Always
   service:
     annotations: {}

charts/proxy/values.yaml

@@ -4,6 +4,7 @@ kcpFrontProxy:
   image: ghcr.io/kcp-dev/kcp
   # set this to override the image tag used for kcp-front-proxy (determined by chart appVersion by default).
   tag: ""
+  v: "3"
   pullPolicy: IfNotPresent
   tokenAuth:
     enabled: false
@@ -86,6 +87,26 @@ oidc:
   # certs in the tls.crt chain. As you cannot say "use this Secret, but the
   # second cert in the tls.crt key", it's easier to mount the CA cert secret.
   caSecretKeyName: "tls.crt"
+
+audit:
+  enabled: false
+  volumeSize: 1Gi
+  volumeClassName: ""
+  policy:
+    dir: /etc/kcp/audit
+    fileName: audit-policy.yml
+    config: |
+      # Log all requests at the Metadata level.
+      apiVersion: audit.k8s.io/v1
+      kind: Policy
+      rules:
+      - level: Metadata
+  log:
+    maxAge: "10"
+    maxSize: "250"
+    maxBackup: "1"
+    dir: /var/audit
+
 certificates:
   name: certs
   kcp:

charts/shard/values.yaml

@@ -76,6 +76,17 @@ kcpFrontProxy:
   # certificateIssuer:
   #   name: ""
   #   kind: Issuer
+oidc:
+  enabled: false
+  caSecretName: ""
+  # assuming you're using cert-manager, you want to mount the CA certificate
+  # directly and use its tls.crt key; if you instead mount a certificate that
+  # is _signed by_ the OIDC CA, then do not use its ca.crt key, as it is the
+  # absolute top root CA, the CA that actually signed the cert is one of the
+  # certs in the tls.crt chain. As you cannot say "use this Secret, but the
+  # second cert in the tls.crt key", it's easier to mount the CA cert secret.
+  caSecretKeyName: "tls.crt"
+
 audit:
   enabled: false
   volumeSize: 1Gi
@@ -94,16 +105,6 @@ audit:
     maxSize: "250"
     maxBackup: "1"
     dir: /var/audit
-oidc:
-  enabled: false
-  caSecretName: ""
-  # assuming you're using cert-manager, you want to mount the CA certificate
-  # directly and use its tls.crt key; if you instead mount a certificate that
-  # is _signed by_ the OIDC CA, then do not use its ca.crt key, as it is the
-  # absolute top root CA, the CA that actually signed the cert is one of the
-  # certs in the tls.crt chain. As you cannot say "use this Secret, but the
-  # second cert in the tls.crt key", it's easier to mount the CA cert secret.
-  caSecretKeyName: "tls.crt"
 
 # caBundle is a CA bundle that will be used to verify connections.
 # see https://cert-manager.io/docs/trust/trust-manager/#installation
@@ -114,6 +115,7 @@ caBundle:
 
 cache:
   enabled: false
+
 externalCache:
   enabled: false
 

examples/sharded/deploy-kcp.sh

@@ -17,6 +17,5 @@ helm upgrade --install --values kind-values-phase3-alpha.yaml --namespace kcp-al
 echo "Deploy frontend proxy"
 helm upgrade --install --values kind-values-phase3-proxy.yaml --namespace kcp-proxy --create-namespace kcp-proxy ../../charts/proxy
 
-
 echo "Deploy beta shard"
 helm upgrade --install --values kind-values-phase3-beta.yaml --namespace kcp-beta --create-namespace kcp-beta ../../charts/shard

examples/sharded/kind-values-phase1.yaml

@@ -25,9 +25,10 @@ certificates:
     enabled: true
     annotations:
       reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache,cert-manager"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache,cert-manager,idp"
       reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache,cert-manager"
+      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache,cert-manager,idp"
+
 letsEncrypt:
   enabled: false
   staging:
@@ -36,6 +37,7 @@ letsEncrypt:
     # Let's Encrypt will use this to contact you about expiring
     # certificates, and issues related to your account.
     email: <your-email-address>
+
   production:
     enabled: true
     # You must replace this email address with your own.

examples/sharded/kind-values-phase2-proxy.yaml

@@ -18,7 +18,7 @@ certificates:
 #     kind: ClusterIssuer
   dnsNames:
   - localhost
-  - kcp.faros.sh
+  - kcp.dev.local
   name: certs
   kcp:
     pki: false
@@ -36,6 +36,6 @@ certificates:
     enabled: true
     annotations:
       reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache,idp"
       reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache"
+      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kcp-alpha,kcp-beta,kcp-proxy,kcp-cache,idp"

examples/sharded/kind-values-phase3-alpha.yaml

@@ -15,11 +15,16 @@ kcp:
   externalLogicalClusterAdminFlag: true
   tag: main
   enabled: true
+  v: 8
   tokenAuth:
     enabled: true
   batteries:
     - workspace-types
     - metrics-viewer
+  extraFlags:
+  - --feature-gates=WorkspaceMounts=true
+  homeWorkspaces:
+    enabled: true
 externalCache:
   enabled: true
   cacheInternalHostname: "cache-cache.kcp-cache.svc"
@@ -28,3 +33,14 @@ sharding:
   isRoot: true
 caBundle:
   enabled: false
+  configMapName: kcp.dev.local
+  configMapKey: root-certs.pem
+oidc:
+  enabled: true
+  issuerUrl: https://idp.dev.local:6443
+  clientId: kcp-dev
+  groupClaim: groups
+  usernameClaim: email
+  usernamePrefix: kcp-dev-idp-
+  groupsPrefix: kcp-dev-idp-
+  caSecretName: dex-pki-ca

examples/sharded/kind-values-phase3-beta.yaml

@@ -14,12 +14,16 @@ etcd:
 kcp:
   tag: main
   enabled: true
-  v: 12
+  v: 8
   tokenAuth:
     enabled: true
   batteries:
     - workspace-types
     - metrics-viewer
+  extraFlags:
+  - --feature-gates=WorkspaceMounts=true
+  homeWorkspaces:
+    enabled: true
 externalCache:
   enabled: true
   cacheInternalHostname: "cache-cache.kcp-cache.svc"
@@ -29,5 +33,14 @@ sharding:
   rootShardInternalHostname: "alpha.kcp-alpha.svc.cluster.local"
 caBundle:
   enabled: false
-  configMapName: faros.sh
+  configMapName: kcp.dev.local
   configMapKey: root-certs.pem
+oidc:
+  enabled: true
+  issuerUrl: https://idp.dev.local:6443
+  clientId: kcp-dev
+  groupClaim: groups
+  usernameClaim: email
+  usernamePrefix: kcp-dev-idp-
+  groupsPrefix: kcp-dev-idp-
+  caSecretName: dex-pki-ca

examples/sharded/kind-values-phase3-cache.yaml

@@ -10,5 +10,6 @@ fullnameOverride: cache
 externalHostname: "kcp.dev.local"
 cache:
   enabled: true
+  v: 8
 certificates:
   name: certs

examples/sharded/kind-values-phase3-proxy.yaml

@@ -37,3 +37,14 @@ sharding:
   rootShardInternalHostname: "alpha.kcp-alpha.svc.cluster.local"
 caBundle:
   enabled: false
+  configMapName: kcp.dev.local
+  configMapKey: root-certs.pem
+oidc:
+  enabled: true
+  issuerUrl: https://idp.dev.local:6443
+  clientId: kcp-dev
+  groupClaim: groups
+  usernameClaim: email
+  usernamePrefix: kcp-dev-idp-
+  groupsPrefix: kcp-dev-idp-
+  caSecretName: dex-pki-ca