Skip to content

Commit

Permalink
add example for using kubetruth to generate CRDs that control kubetruth
Browse files Browse the repository at this point in the history
  • Loading branch information
wr0ngway committed Sep 16, 2021
1 parent 9fef257 commit 25b09d3
Show file tree
Hide file tree
Showing 4 changed files with 211 additions and 0 deletions.
110 changes: 110 additions & 0 deletions examples/inception/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# Using kubetruth to deploy

This example uses kubetruth to configure kubetruth by creating kubetruth
ProjectMapping CRDs from the CloudTruth project named kubetruth.

It provides 2 variants:

* `values-parameter-driven.yaml`:
The CloudTruth parameters are organized according to their dot-notated keys to
simulate a hash of the attributes for the CRD and then a CRD yaml is created
and applied for each grouping. For example with CloudTruth parameters like the following:
```
foo.project_selector: ^foo$
foo.skip: true
bar.project_selector: ^bar$
bar.resource_templates.secret: ""
```
kubetruth will create a CRD named foo, that skips processing for the project named foo, and
another CRD named bar that prevents generation of the default secret resource by
setting its template to empty
* `values-template-driven.yaml`:
Each CloudTruth template is treated as a complete CRD yaml and applied verbatim
## Setup CloudTruth Credentials
Login to CloudTruth, and create an api key, then add it to your environment
```
export CLOUDTRUTH_API_KEY=your_api_key
```
## Setup a project to configure the deploy
```
cloudtruth projects set kubetruth
```
## (Optional) Setup [minikube](https://minikube.sigs.k8s.io/docs/start/) to test locally
```
minikube start
```
## Setup kubetruth to apply a deployment resource for that project
To try the parameter driven variant, install kubetruth with the following settings:
```
helm install --values examples/inception/values-parameter-driven.yaml --set appSettings.apiKey=$CLOUDTRUTH_API_KEY kubetruth cloudtruth/kubetruth
```
OR to try the template driven variant variant, install kubetruth like:
```
helm install --values examples/inception/values-template-driven.yaml --set appSettings.apiKey=$CLOUDTRUTH_API_KEY kubetruth cloudtruth/kubetruth
```
## Check kubetruth is up
```
kubectl describe deployment kubetruth
kubectl logs deployment/kubetruth
```
## Add a project that we can affect with a CRD
```
cloudtruth projects set nosecret
cloudtruth --project nosecret parameter set --value myval aParam
cloudtruth --project nosecret parameter set --secret true --value sekret aSecret
```
Note that no resources get generated for it yet since our root selector was set to skip all:
```
kubectl describe configmap nosecret
kubectl describe secret nosecret
```
## Create and verify a parameter-driven CRD
If you installed kubetruth using the parameter driven variant of this example,
create some CloudTruth parameters to be interpreted as a CRD:
```
cloudtruth --project kubetruth parameter set --value "^nosecret$" nosecret.project_selector
cloudtruth --project kubetruth parameter set --value "" nosecret.resource_templates.secret
cloudtruth --project kubetruth parameter set --value "false" nosecret.skip # we skipped globally in the root, so need to undo it
```
Note that a ConfigMap gets generated, but a Secret does not:
```
kubectl describe configmap nosecret
kubectl describe secret nosecret
```
Re-enable Secret generation:
```
cloudtruth --project kubetruth parameter delete nosecret.resource_templates.secret
```
Note that a Secret is now being generated:
```
kubectl describe secret nosecret # a Secret resource should now be generated
```
## Create and verify a template-driven CRD
If you installed kubetruth using the template driven variant of this example, create a CloudTruth template to be written as the CRD:
```
cloudtruth --project kubetruth template set --body examples/inception/nosecret.tmpl.yaml nosecret
```
Similar steps can be followed to verify the behavior like one does in the parameter driven variant
9 changes: 9 additions & 0 deletions examples/inception/nosecret.tmpl.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kubetruth.cloudtruth.com/v1
kind: ProjectMapping
metadata:
name: nosecret
spec:
skip: false
project_selector: "^nosecret$"
resource_templates:
secret: ""
65 changes: 65 additions & 0 deletions examples/inception/values-parameter-driven.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Setup the kubetruth CRD to ignore all projects except for the one named deploytest
# For the deploytest project, get the resource template from the cloudtruth template named deployment
projectMappings:

# Define the root project mapping, skipping all projects except for the
# example we care about
root:
scope: "root"
environment: default
skip: true

# Define an override ProjectMapping to create kubetruth CRDs from the
# CloudTruth project named kubetruth
kubetruth:
scope: "override"
skip: false
project_selector: "^kubetruth$"
resource_templates:
# Disable default templates for this project as they aren't needed
configmap: ""
secret: ""

crds: |
{%- if parameters.size > 0 %} {{ parameters | nindent: "five" }}
{%- comment %}
Use the inflate filter to convert parameters to a structured form
based on a dot delimiter. The namespace can be specified with a slash
in the first part of the key, e.g.
myoverride.project_selector # uses default/installed namespace
mynamespace/myoverride.project_selector # uses mynamespace
{%- endcomment %}
{%- assign inflated_params = parameters | inflate %}
{%- for crd in inflated_params %}
{%- assign name_parts = crd[0] | split: "/" %}
{%- assign name = name_parts | last %}
apiVersion: kubetruth.cloudtruth.com/v1
kind: ProjectMapping
metadata:
name: "{{ name }}"
{%- if name_parts.size > 1 %}
namespace: "{{ name_parts | first }}"
{%- endif %}
spec:
{% if crd[1] contains "scope" %}scope: "{{ crd[1].scope }}"{% endif %}
{% if crd[1] contains "environment" %}environment: "{{ crd[1].environment }}"{% endif %}
{% if crd[1] contains "project_selector" %}project_selector: "{{ crd[1].project_selector }}"{% endif %}
{% if crd[1] contains "key_selector" %}key_selector: "{{ crd[1].key_selector }}"{% endif %}
{% if crd[1] contains "skip" %}skip: {{ crd[1].skip }}{% endif %}
{% if crd[1] contains "included_projects" %}included_projects: {{ crd[1].included_projects }}{% endif %}
{% if crd[1] contains "context" %}
context:
{{ crd[1].context | to_yaml: no_header: true | nindent: 4 }}
{% endif %}
{% if crd[1] contains "resource_templates" %}
resource_templates:
{{ crd[1].resource_templates | to_yaml: no_header: true | nindent: 4 }}
{% endif %}
{% unless forloop.last %}---{% endunless %}
{%- endfor %}
{%- endif %}
27 changes: 27 additions & 0 deletions examples/inception/values-template-driven.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Setup the kubetruth CRD to ignore all projects except for the one named deploytest
# For the deploytest project, get the resource template from the cloudtruth template named deployment
projectMappings:

# Define the root project mapping, skipping all projects except for the
# example we care about
root:
scope: "root"
environment: default
skip: true

# Define an override ProjectMapping to create kubetruth CRDs from the
# CloudTruth project named kubetruth
kubetruth:
scope: "override"
skip: false
project_selector: "^kubetruth$"
resource_templates:
# Disable default templates for this project as they aren't needed
configmap: ""
secret: ""

crds: |
{%- for template in templates.names %}
{{ templates[template] }}
{% unless forloop.last %}---{% endunless %}
{%- endfor %}

0 comments on commit 25b09d3

Please sign in to comment.