-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add example for using kubetruth to generate CRDs that control kubetruth
- Loading branch information
Showing
4 changed files
with
211 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
# Using kubetruth to deploy | ||
|
||
This example uses kubetruth to configure kubetruth by creating kubetruth | ||
ProjectMapping CRDs from the CloudTruth project named kubetruth. | ||
|
||
It provides 2 variants: | ||
|
||
* `values-parameter-driven.yaml`: | ||
The CloudTruth parameters are organized according to their dot-notated keys to | ||
simulate a hash of the attributes for the CRD and then a CRD yaml is created | ||
and applied for each grouping. For example with CloudTruth parameters like the following: | ||
``` | ||
foo.project_selector: ^foo$ | ||
foo.skip: true | ||
bar.project_selector: ^bar$ | ||
bar.resource_templates.secret: "" | ||
``` | ||
kubetruth will create a CRD named foo, that skips processing for the project named foo, and | ||
another CRD named bar that prevents generation of the default secret resource by | ||
setting its template to empty | ||
* `values-template-driven.yaml`: | ||
Each CloudTruth template is treated as a complete CRD yaml and applied verbatim | ||
## Setup CloudTruth Credentials | ||
Login to CloudTruth, and create an api key, then add it to your environment | ||
``` | ||
export CLOUDTRUTH_API_KEY=your_api_key | ||
``` | ||
## Setup a project to configure the deploy | ||
``` | ||
cloudtruth projects set kubetruth | ||
``` | ||
## (Optional) Setup [minikube](https://minikube.sigs.k8s.io/docs/start/) to test locally | ||
``` | ||
minikube start | ||
``` | ||
## Setup kubetruth to apply a deployment resource for that project | ||
To try the parameter driven variant, install kubetruth with the following settings: | ||
``` | ||
helm install --values examples/inception/values-parameter-driven.yaml --set appSettings.apiKey=$CLOUDTRUTH_API_KEY kubetruth cloudtruth/kubetruth | ||
``` | ||
OR to try the template driven variant variant, install kubetruth like: | ||
``` | ||
helm install --values examples/inception/values-template-driven.yaml --set appSettings.apiKey=$CLOUDTRUTH_API_KEY kubetruth cloudtruth/kubetruth | ||
``` | ||
## Check kubetruth is up | ||
``` | ||
kubectl describe deployment kubetruth | ||
kubectl logs deployment/kubetruth | ||
``` | ||
## Add a project that we can affect with a CRD | ||
``` | ||
cloudtruth projects set nosecret | ||
cloudtruth --project nosecret parameter set --value myval aParam | ||
cloudtruth --project nosecret parameter set --secret true --value sekret aSecret | ||
``` | ||
Note that no resources get generated for it yet since our root selector was set to skip all: | ||
``` | ||
kubectl describe configmap nosecret | ||
kubectl describe secret nosecret | ||
``` | ||
## Create and verify a parameter-driven CRD | ||
If you installed kubetruth using the parameter driven variant of this example, | ||
create some CloudTruth parameters to be interpreted as a CRD: | ||
``` | ||
cloudtruth --project kubetruth parameter set --value "^nosecret$" nosecret.project_selector | ||
cloudtruth --project kubetruth parameter set --value "" nosecret.resource_templates.secret | ||
cloudtruth --project kubetruth parameter set --value "false" nosecret.skip # we skipped globally in the root, so need to undo it | ||
``` | ||
Note that a ConfigMap gets generated, but a Secret does not: | ||
``` | ||
kubectl describe configmap nosecret | ||
kubectl describe secret nosecret | ||
``` | ||
Re-enable Secret generation: | ||
``` | ||
cloudtruth --project kubetruth parameter delete nosecret.resource_templates.secret | ||
``` | ||
Note that a Secret is now being generated: | ||
``` | ||
kubectl describe secret nosecret # a Secret resource should now be generated | ||
``` | ||
## Create and verify a template-driven CRD | ||
If you installed kubetruth using the template driven variant of this example, create a CloudTruth template to be written as the CRD: | ||
``` | ||
cloudtruth --project kubetruth template set --body examples/inception/nosecret.tmpl.yaml nosecret | ||
``` | ||
Similar steps can be followed to verify the behavior like one does in the parameter driven variant |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: kubetruth.cloudtruth.com/v1 | ||
kind: ProjectMapping | ||
metadata: | ||
name: nosecret | ||
spec: | ||
skip: false | ||
project_selector: "^nosecret$" | ||
resource_templates: | ||
secret: "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# Setup the kubetruth CRD to ignore all projects except for the one named deploytest | ||
# For the deploytest project, get the resource template from the cloudtruth template named deployment | ||
projectMappings: | ||
|
||
# Define the root project mapping, skipping all projects except for the | ||
# example we care about | ||
root: | ||
scope: "root" | ||
environment: default | ||
skip: true | ||
|
||
# Define an override ProjectMapping to create kubetruth CRDs from the | ||
# CloudTruth project named kubetruth | ||
kubetruth: | ||
scope: "override" | ||
skip: false | ||
project_selector: "^kubetruth$" | ||
resource_templates: | ||
# Disable default templates for this project as they aren't needed | ||
configmap: "" | ||
secret: "" | ||
|
||
crds: | | ||
{%- if parameters.size > 0 %} {{ parameters | nindent: "five" }} | ||
{%- comment %} | ||
Use the inflate filter to convert parameters to a structured form | ||
based on a dot delimiter. The namespace can be specified with a slash | ||
in the first part of the key, e.g. | ||
myoverride.project_selector # uses default/installed namespace | ||
mynamespace/myoverride.project_selector # uses mynamespace | ||
{%- endcomment %} | ||
{%- assign inflated_params = parameters | inflate %} | ||
{%- for crd in inflated_params %} | ||
{%- assign name_parts = crd[0] | split: "/" %} | ||
{%- assign name = name_parts | last %} | ||
apiVersion: kubetruth.cloudtruth.com/v1 | ||
kind: ProjectMapping | ||
metadata: | ||
name: "{{ name }}" | ||
{%- if name_parts.size > 1 %} | ||
namespace: "{{ name_parts | first }}" | ||
{%- endif %} | ||
spec: | ||
{% if crd[1] contains "scope" %}scope: "{{ crd[1].scope }}"{% endif %} | ||
{% if crd[1] contains "environment" %}environment: "{{ crd[1].environment }}"{% endif %} | ||
{% if crd[1] contains "project_selector" %}project_selector: "{{ crd[1].project_selector }}"{% endif %} | ||
{% if crd[1] contains "key_selector" %}key_selector: "{{ crd[1].key_selector }}"{% endif %} | ||
{% if crd[1] contains "skip" %}skip: {{ crd[1].skip }}{% endif %} | ||
{% if crd[1] contains "included_projects" %}included_projects: {{ crd[1].included_projects }}{% endif %} | ||
{% if crd[1] contains "context" %} | ||
context: | ||
{{ crd[1].context | to_yaml: no_header: true | nindent: 4 }} | ||
{% endif %} | ||
{% if crd[1] contains "resource_templates" %} | ||
resource_templates: | ||
{{ crd[1].resource_templates | to_yaml: no_header: true | nindent: 4 }} | ||
{% endif %} | ||
{% unless forloop.last %}---{% endunless %} | ||
{%- endfor %} | ||
{%- endif %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# Setup the kubetruth CRD to ignore all projects except for the one named deploytest | ||
# For the deploytest project, get the resource template from the cloudtruth template named deployment | ||
projectMappings: | ||
|
||
# Define the root project mapping, skipping all projects except for the | ||
# example we care about | ||
root: | ||
scope: "root" | ||
environment: default | ||
skip: true | ||
|
||
# Define an override ProjectMapping to create kubetruth CRDs from the | ||
# CloudTruth project named kubetruth | ||
kubetruth: | ||
scope: "override" | ||
skip: false | ||
project_selector: "^kubetruth$" | ||
resource_templates: | ||
# Disable default templates for this project as they aren't needed | ||
configmap: "" | ||
secret: "" | ||
|
||
crds: | | ||
{%- for template in templates.names %} | ||
{{ templates[template] }} | ||
{% unless forloop.last %}---{% endunless %} | ||
{%- endfor %} |