Expose values in kapp-controller package

.github/workflows/kind-action.yml

@@ -38,7 +38,7 @@ jobs:
 
           source ./hack/version-util.sh
 
-          ytt -f config -f config-dev -v dev.version="$(get_kappctrl_ver)+develop" | kbld -f- > kbld.out 2> kbldmeta.out
+          ytt -f config/config -f config/values-schema.yml -f config-dev -v dev.version="$(get_kappctrl_ver)+develop" | kbld -f- > kbld.out 2> kbldmeta.out
           cat kbldmeta.out | tail -n 1 | sed 's/.*final: kapp-controller -> \(.*\)$/\1/p'  | tail -n 1 | xargs kind load docker-image --name kinder
           kapp deploy -a kc -f kbld.out -c -y
 

config/0-namespace.yml → config/config/0-namespace.yml

@@ -4,16 +4,16 @@
 #! has Namespace first so that kubectl can can install kc
 #! (kapp of course perm automatic ordering)
 
-#@ if/end data.values.namespace != "default" and data.values.create_namespace:
+#@ if/end data.values.namespace != "default" and data.values.createNamespace:
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: #@ data.values.namespace
 
-#@ if/end data.values.packaging_global_namespace != "" and data.values.create_packaging_namespace:
+#@ if/end data.values.packagingGlobalNamespace != "" and data.values.createPackagingNamespace:
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: #@ data.values.packaging_global_namespace
+  name: #@ data.values.packagingGlobalNamespace

config/deployment.yml → config/config/deployment.yml

@@ -23,11 +23,11 @@ spec:
       - name: kapp-controller
         image: kapp-controller
         args:
-        - #@ "-packaging-global-namespace={}".format(data.values.packaging_global_namespace)
-        #@ if/end data.values.dangerous_enable_pprof:
+        - #@ "-packaging-global-namespace={}".format(data.values.packagingGlobalNamespace)
+        #@ if/end data.values.dangerousEnablePprof:
         - -dangerous-enable-pprof=true
-        - #@ "-enable-api-priority-and-fairness={}".format(data.values.enable_api_priority_and_fairness)
-        - #@ "-tls-cipher-suites={}".format(data.values.tls_cipher_suites)
+        - #@ "-enable-api-priority-and-fairness={}".format(data.values.enableApiPriorityAndFairness)
+        - #@ "-tls-cipher-suites={}".format(data.values.tlsCipherSuites)
         env:
         - name: KAPPCTRL_MEM_TMP_DIR
           value: /etc/kappctrl-mem-tmp
@@ -38,7 +38,7 @@ spec:
             fieldRef:
               fieldPath: metadata.namespace
         - name: KAPPCTRL_API_PORT
-          value: #@ str(data.values.api_port)
+          value: #@ str(data.values.apiPort)
         resources:
           requests:
             cpu: 120m
@@ -49,7 +49,7 @@ spec:
         - name: home
           mountPath: /home/kapp-controller
         ports:
-        - containerPort: #@ data.values.api_port
+        - containerPort: #@ data.values.apiPort
           name: api
           protocol: TCP
         securityContext:
@@ -96,7 +96,7 @@ spec:
       - name: empty-sa
         emptyDir: {}
 
-#@ if/end data.values.dangerous_enable_pprof:
+#@ if/end data.values.dangerousEnablePprof:
 ---
 apiVersion: v1
 kind: Service

config/rbac.yml → config/config/rbac.yml

@@ -63,7 +63,7 @@ rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
-#@ if/end data.values.enable_api_priority_and_fairness:
+#@ if/end data.values.enableApiPriorityAndFairness:
 - apiGroups: ["flowcontrol.apiserver.k8s.io"]
   resources: ["prioritylevelconfigurations", "flowschemas"]
   verbs: ["list", "watch"]

config/overlays/controller-config-overlay.yml

@@ -0,0 +1,14 @@
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:data", "data")
+
+#@overlay/match by=overlay.subset({"kind":"Deployment","metadata":{"name": "kapp-controller"}})
+#@overlay/insert before=True
+---
+#! This optional Secret must be created before the kapp-controller pod launches in order to read it.
+apiVersion: v1
+kind: Secret
+metadata:
+  #! Name must be `kapp-controller-config` for kapp controller to pick it up
+  name: kapp-controller-config
+  namespace: #@ data.values.namespace
+stringData: #@ data.values.config

config/overlays/crd-overlay.yml

@@ -0,0 +1,9 @@
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:data", "data")
+
+#@overlay/match by=overlay.subset({"metadata":{"name":"packagerepositories.packaging.carvel.dev"}})
+---
+metadata:
+  #@overlay/match missing_ok=True
+  annotations:
+    packaging.carvel.dev/global-namespace: #@ data.values.packagingGlobalNamespace

config/overlays/update-deployment.yml

@@ -0,0 +1,69 @@
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:data", "data")
+#@ load("@ytt:yaml", "yaml")
+
+#@ def is_toleration_specified(toleration):
+#@   return toleration in yaml.decode(yaml.encode(data.values.tolerations))
+#@ end
+
+#@ default_tolerations = []
+#@ is_primary_specified = is_toleration_specified({"effect":"NoSchedule", "key":"node-role.kubernetes.io/master"})
+#@ is_control_specified = is_toleration_specified({"effect":"NoSchedule", "key":"node-role.kubernetes.io/control-plane"})
+
+#@ if is_primary_specified and not is_control_specified:
+#@   default_tolerations += [{"effect":"NoSchedule", "key":"node-role.kubernetes.io/control-plane"}]
+#@ end
+
+#@overlay/match by=overlay.subset({"kind":"Deployment","metadata":{"name": "kapp-controller"}})
+---
+spec:
+  template:
+    #@overlay/match-child-defaults missing_ok=True
+    spec:
+      containers:
+      #@overlay/match by=overlay.subset({"name":"kapp-controller"})
+      - args:
+        #@overlay/append
+        - #@ "-concurrency={}".format(data.values.concurrency)
+        #@overlay/append
+        - #@ "-metrics-bind-address={}".format(data.values.metricsBindAddress)
+
+      #@overlay/match by=overlay.subset({"name":"kapp-controller-sidecarexec"})
+      -
+        #@ if/end data.values.coreDNSIP:
+        volumeMounts:
+          - mountPath: /etc
+            name: etc
+
+      #@ if data.values.coreDNSIP:
+      #! Using init container bypasses the restriction of not having root access in main container
+      #! It modifies /etc/resolv.conf which is shared to main container
+      initContainers:
+      - args:
+        - -c
+        - #@ "cp /etc/resolv.conf /etc/resolv.conf.bak; sed '1 i nameserver " + data.values.coreDNSIP + "' /etc/resolv.conf.bak > /etc/resolv.conf; rm /etc/resolv.conf.bak; cp -R /etc/* /kapp-etc; chmod g+w /kapp-etc/pki/tls/certs/"
+        command:
+        - /bin/sh
+        image: kapp-controller
+        name: init-kapp-controller
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 0
+        volumeMounts:
+        - mountPath: /kapp-etc
+          name: etc
+      #@ end
+      #@ if/end data.values.hostNetwork:
+      hostNetwork: #@ data.values.hostNetwork
+      #@ if/end data.values.priorityClassName:
+      priorityClassName: #@ data.values.priorityClassName
+      #@ if hasattr(data.values, 'tolerations') and data.values.tolerations:
+      tolerations: #@ default_tolerations + data.values.tolerations
+      #@ end
+      #@ if data.values.coreDNSIP:
+      volumes:
+        #@overlay/append
+        - emptyDir:
+            medium: Memory
+          name: etc
+      #@ end

config/overlays/update-strategy-overlay.yml

@@ -0,0 +1,63 @@
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:data", "data")
+
+#@ def matcher():
+kind: Deployment
+metadata:
+  name: kapp-controller
+spec:
+  template:
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+#@ end
+
+#@overlay/match expects="0+",by=overlay.subset({"kind":"Deployment"})
+---
+kind: Deployment
+spec:
+  #@ if data.values.deployment.updateStrategy:
+  #@overlay/match missing_ok=True
+  strategy:
+    type: #@ data.values.deployment.updateStrategy
+    #@overlay/match missing_ok=True
+    #@ if data.values.deployment.updateStrategy == "RollingUpdate":
+    rollingUpdate:
+      #@ if/end data.values.deployment.rollingUpdate.maxUnavailable != None:
+      maxUnavailable: #@ data.values.deployment.rollingUpdate.maxUnavailable
+      #@ if/end data.values.deployment.rollingUpdate.maxSurge != None:
+      maxSurge: #@ data.values.deployment.rollingUpdate.maxSurge
+    #@ end
+  #@ end
+  #@ if data.values.nodeSelector != None:
+  template:
+    spec:
+      #@overlay/match missing_ok=True
+      nodeSelector:
+        #@ for key in data.values.nodeSelector:
+        #@overlay/match missing_ok=True
+        #@yaml/text-templated-strings
+        (@= key @): #@ data.values.nodeSelector[key]
+        #@ end
+  #@ end
+
+#@overlay/match expects="0+",by=overlay.subset({"kind":"DaemonSet"})
+---
+kind: DaemonSet
+spec:
+  #@ if data.values.daemonset.updateStrategy:
+  #@overlay/match missing_ok=True
+  updateStrategy:
+    type: #@ data.values.daemonset.updateStrategy
+  #@ end
+
+#@overlay/match by=overlay.subset(matcher()) , when=1
+---
+spec:
+  template:
+    spec:
+      nodeSelector:
+        #@overlay/remove
+        node-role.kubernetes.io/master:
+        #@overlay/match missing_ok=True
+        node-role.kubernetes.io/control-plane: ""

config/values-schema.yml

@@ -3,17 +3,71 @@
 #@schema/desc "The namespace in which to deploy kapp-controller"
 namespace: kapp-controller
 #@schema/desc "Whether to create namespace specified for kapp-controller"
-create_namespace: true
+createNamespace: true
 #@schema/desc "The global packaging namespace for kapp-controller"
-packaging_global_namespace: kapp-controller-packaging-global
+packagingGlobalNamespace: kapp-controller-packaging-global
 #@schema/desc "Whether to create the global packaging namespace for kapp-controller"
-create_packaging_namespace: true
+createPackagingNamespace: true
 #! clusters version 1.19 and below should disable APIPriorityAndFairness by setting the below to false
 #@schema/desc "Whether to enable api priority and fairness"
-enable_api_priority_and_fairness: true
+enableApiPriorityAndFairness: true
 #@schema/desc "Whether to enable pprofiling for kapp-controller"
-dangerous_enable_pprof: false
+dangerousEnablePprof: false
 #@schema/desc "Comma separated list of cipher suites - empty for language defaults"
-tls_cipher_suites: ""
+tlsCipherSuites: ""
 #@schema/desc "API port"
-api_port: 10350
+apiPort: 10350
+#@schema/desc "The coreDNSIP will be injected into /etc/resolv.conf of kapp-controller pod"
+coreDNSIP: ""
+#@schema/desc "HostNetwork of kapp-controller deployment."
+hostNetwork: false
+#@schema/desc "PriorityClassName of kapp-controller deployment."
+priorityClassName: ""
+#@schema/desc "Concurrency of kapp-controller deployment"
+concurrency: 4
+#@schema/desc "Toleration of kapp-controller deployment."
+tolerations: [""]
+#@schema/desc "Address for metrics server."
+metricsBindAddress: ""
+
+#@schema/desc "Controller Configuration Spec"
+#@overlay/match-child-defaults missing_ok=True
+config:
+  #@schema/desc "A cert chain of trusted ca certs. These will be added to the system-wide cert pool of trusted ca's. Default is empty"
+  caCerts: ""
+  #@schema/desc "The url/ip of a proxy for kapp controller to use when making network requests. Default is empty"
+  httpProxy: ""
+  #@schema/desc "The url/ip of a tls capable proxy for kapp controller to use when making network requests. Default is empty"
+  httpsProxy: ""
+  #@schema/desc "A comma delimited list of domain names which kapp controller should bypass the proxy for when making requests. Default is empty"
+  noProxy: ""
+  #@schema/desc "A comma delimited list of hostnames for which kapp controller should skip TLS verification. Default is empty"
+  dangerousSkipTLSVerify: ""
+  #@schema/desc "JSON encoded array of kapp deploy rawOptions that are applied to all App CRs."
+  kappDeployRawOptions: ""
+  #@schema/desc "Time duration value used as a default for App CR's spec.syncPeriod. Minimum is 30s."
+  appDefaultSyncPeriod: ""
+  #@schema/desc "Time duration value to force a minimum for App CR's spec.syncPeriod. Minimum is 30s."
+  appMinimumSyncPeriod: ""
+
+#@schema/desc "Configuration for deployments"
+#@overlay/match-child-defaults missing_ok=True
+deployment:
+  #@schema/desc "Update strategy of deployments, empty uses default strategy"
+  updateStrategy: ""
+  #@schema/desc "Rolling update strategy. Applied only if RollingUpdate is used as updateStrategy"
+  rollingUpdate:
+    #@schema/desc "The maxUnavailable of rollingUpdate. Applied only if RollingUpdate is used as updateStrategy"
+    maxUnavailable: 1
+    #@schema/desc "The maxSurge of rollingUpdate. Applied only if RollingUpdate is used as updateStrategy"
+    maxSurge: 0
+
+#@schema/type any=True
+#@schema/desc "NodeSelector configuration applied to all the deployments"
+nodeSelector: null
+
+#@schema/desc "Configuration for daemonsets"
+#@overlay/match-child-defaults missing_ok=True
+daemonset:
+  #@schema/desc "Update strategy of daemonset, empty uses default strategy"
+  updateStrategy: ""

docs/dev.md

@@ -98,7 +98,7 @@ graphed in [github
 pages](https://carvel-dev.github.io/kapp-controller/dev/bench/index.html).
 
 ### Profiling
-1.) Enable profiling by editing config/values.yaml and setting `dangerous_enable_pprof`
+1.) Enable profiling by editing config/values-schema.yaml and setting `dangerousEnablePprof`
 to true
 2.) deploy (see above)
 3.) install graphviz: `brew install graphviz`

hack/build-release.sh

@@ -11,10 +11,15 @@ source $(dirname "$0")/version-util.sh
 export version="$(get_kappctrl_ver)"
 
 # We do not want the version to be configurable in the kapp-controller package
-sed 's/v0.0.0/'"$version"'/' config/deployment.yml > tmp/deployment.yml
-mv tmp/deployment.yml config/deployment.yml
+sed 's/v0.0.0/'"$version"'/' config/config/deployment.yml > tmp/deployment.yml
+mv tmp/deployment.yml config/config/deployment.yml
 
-ytt -f config -f config-release -v dev.version="$version" --data-values-env=KCTRL | kbld --imgpkg-lock-output .imgpkg/images.yml -f- > ./tmp/release.yml
+ytt -f config/config -f config/values-schema.yml -f config-release -v dev.version="$version" --data-values-env=KCTRL | kbld --imgpkg-lock-output .imgpkg/images.yml -f- > ./tmp/release.yml
+
+# Update image url in kapp-controller package overlays
+image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' ./tmp/release.yml`
+sed 's|image: kapp-controller|image: '"$image_url"'|' config/overlays/update-deployment.yml > tmp/update-deployment.yml
+mv tmp/update-deployment.yml config/overlays/update-deployment.yml
 
 shasum -a 256 ./tmp/release.yml
 

hack/build.sh

@@ -14,7 +14,7 @@ go build -trimpath -mod=vendor -o controller ./cmd/controller/...
 ls -la ./controller
 
 ./hack/gen-crds.sh
-ytt -f config -f config-dev >/dev/null
+ytt -f config/config -f config/values-schema.yml -f config-dev >/dev/null
 
 # compile tests, but do not run them: https://github.com/golang/go/issues/15513#issuecomment-839126426
 go test --exec=echo ./... >/dev/null

hack/crd-overlay.yml

@@ -38,4 +38,4 @@ spec:
 metadata:
   #@overlay/match missing_ok=True
   annotations:
-    packaging.carvel.dev/global-namespace: #@ data.values.packaging_global_namespace
+    packaging.carvel.dev/global-namespace: #@ data.values.packagingGlobalNamespace

hack/deploy-test.sh

@@ -4,7 +4,7 @@ set -e
 
 source $(dirname "$0")/version-util.sh
 
-./hack/build.sh && ytt -f config -f config-dev -v dev.version="$(get_kappctrl_ver)+develop" | kbld -f- | kapp deploy -a kc -f- -c -y
+./hack/build.sh && ytt -f config/config -f config/values-schema.yml -f config-dev -v dev.version="$(get_kappctrl_ver)+develop" | kbld -f- | kapp deploy -a kc -f- -c -y
 
 source ./hack/secretgen-controller.sh
 deploy_secretgen-controller

hack/deploy.sh

@@ -5,7 +5,7 @@ set -e
 # makes the get_kappctrl_ver function available (scrapes version from git tag)
 source $(dirname "$0")/version-util.sh
 
-./hack/build.sh && ytt -f config -f config-dev -v dev.version="$(get_kappctrl_ver)+develop"  | kbld -f- | kapp deploy -a kc -f- -c -y
+./hack/build.sh && ytt -f config/config -f config/values-schema.yml -f config-dev -v dev.version="$(get_kappctrl_ver)+develop"  | kbld -f- | kapp deploy -a kc -f- -c -y
 
 source ./hack/secretgen-controller.sh
 deploy_secretgen-controller

hack/dev-deploy.sh

@@ -26,4 +26,4 @@ ENV PATH="/:\${PATH}"
 ENTRYPOINT ["/kapp-controller"]
 EOF
 
-ytt -f config -f config-dev -v dev.version="$(get_kappctrl_ver)+develop" --data-value-yaml dev.rapid_deploy=true | kbld -f- | kapp deploy -a kc -f- -c -y
+ytt -f config/config -f config/values-schema.yml -f config-dev -v dev.version="$(get_kappctrl_ver)+develop" --data-value-yaml dev.rapid_deploy=true | kbld -f- | kapp deploy -a kc -f- -c -y

hack/gen-crds.sh

@@ -11,6 +11,6 @@ go run ./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go \
   output:dir=./tmp/crds \
   paths=./pkg/apis/...
 
-ytt -f tmp/crds -f ./hack/crd-overlay.yml -f config/values-schema.yml > config/crds.yml
+ytt -f tmp/crds -f ./hack/crd-overlay.yml -f config/values-schema.yml > config/config/crds.yml
 
 rm -rf tmp/crds