Merge pull request #249 from openziti/zrok-create-account

refactor zrok chart for new create account API operation

charts/zrok/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.4
+version: 0.2.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.4.30
+appVersion: 0.4.39
 
 dependencies: []
   # removing this dependency until it becomes clear that it makes sense as a subchart

charts/zrok/README.md

@@ -2,7 +2,7 @@
 
 # zrok
 
-![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.30](https://img.shields.io/badge/AppVersion-0.4.30-informational?style=flat-square)
+![Version: 0.2.5](https://img.shields.io/badge/Version-0.2.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.39](https://img.shields.io/badge/AppVersion-0.4.39-informational?style=flat-square)
 
 Run the zrok controller and zrok frontend components as a K8s deployment
 

charts/zrok/templates/controller-secrets-configmap.yaml

@@ -5,26 +5,6 @@
 # their enclosing conditional statement
 {{- $influxAdminToken := randAlphaNum 32 | b64enc }}
 
----
-apiVersion: v1
-kind: Secret
-metadata:
-    name: {{ include "zrok.fullname" . }}-ziggy-account-password
-    labels:
-        {{- include "zrok.labelsController" . | nindent 8 }}
-    annotations:
-        # "helm.sh/resource-policy": "keep"
-type: Opaque
-data:
-    # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
-    {{- $ziggySecretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s-%s" (include "zrok.fullname" . ) "ziggy-account-password")) | default dict }}
-    {{- $ziggySecretData := (get $ziggySecretObj "data") | default dict }}
-    # set $zrokAdminToken to existing secret data or generate a random one when not exists
-    {{- $ziggyPassword := (get $ziggySecretData "password") | default (randAlphaNum 32 | b64enc) }}
-    # set the secret values..
-    username: {{ printf "ziggy@%s" .Values.dnsZone | b64enc | quote }}
-    password: {{ $ziggyPassword | quote }}
-
 ---
 apiVersion: v1
 kind: Secret
@@ -99,24 +79,6 @@ data:
         # uses mounted zrok config YAML
         zrok admin bootstrap /etc/zrok/ctrl.yaml
 
-        # granted permission to read secrets in namespace by SA managed by this chart
-        if kubectl -n {{ .Release.Namespace }} get secret \
-            {{ include "zrok.fullname" . }}-ziggy-account-token &>/dev/null; then
-            echo "INFO: ziggy account enable token secret exists"
-        else
-            echo "INFO: ziggy account enable token secret does not exist, creating secret"
-            # create a default user account named "ziggy" and save the enable token in a Secret resource
-            zrok admin create account \
-                /etc/zrok/ctrl.yaml \
-                ziggy@{{ .Values.dnsZone }} \
-                {{ $ziggyPassword | b64dec | quote }} \
-            | xargs -I TOKEN kubectl -n {{ .Release.Namespace }} create secret generic \
-                {{ include "zrok.fullname" . }}-ziggy-account-token \
-                --from-literal=token=TOKEN
-            # xargs -r is NOT used here because this command must fail loudly if the account token was not created
-
-        fi
-
         # granted permission to read secrets in namespace by SA managed by this chart
         if kubectl -n {{ .Release.Namespace }} get secret \
             {{ include "zrok.fullname" . }}-frontend-identity &>/dev/null; then
@@ -180,7 +142,7 @@ data:
         # configuration, the software will expect this field to be incremented. This protects you against invalid configuration
         # versions.
         #
-        v: 3
+        v: 4
 
         admin:
         # The `secrets` array contains a list of strings that represent valid `ZROK_ADMIN_TOKEN` values to be used for

charts/zrok/templates/frontend-deployment.yaml

@@ -83,11 +83,6 @@ spec:
           # needs to read the frontend ziti identity secret which is mounted in $HOME/.zrok/identities
           args: ["access", "public", "/etc/zrok/frontend.yaml"]
           env:
-            - name: ZROK_ADMIN_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "zrok.fullname" . }}-admin-secret
-                  key: admin-token
             - name: ZROK_API_ENDPOINT
               value: http://{{ include "zrok.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.controller.service.advertisedPort }}
             - name: HOME

charts/zrok/templates/frontend-configmap.yaml → charts/zrok/templates/frontend-secrets-configmap.yaml

@@ -1,3 +1,23 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: {{ include "zrok.fullname" . }}-ziggy-account-password
+    labels:
+        {{- include "zrok.labelsController" . | nindent 8 }}
+    annotations:
+        # "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+    # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
+    {{- $ziggySecretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s-%s" (include "zrok.fullname" . ) "ziggy-account-password")) | default dict }}
+    {{- $ziggySecretData := (get $ziggySecretObj "data") | default dict }}
+    # set $zrokAdminToken to existing secret data or generate a random one when not exists
+    {{- $ziggyPassword := (get $ziggySecretData "password") | default (randAlphaNum 32 | b64enc) }}
+    # set the secret values..
+    username: {{ printf "ziggy@%s" .Values.dnsZone | b64enc | quote }}
+    password: {{ $ziggyPassword | quote }}
+
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -12,9 +32,7 @@ data:
         set -o errexit
         set -o nounset
         set -o pipefail
-        # set -o xtrace  # FIXME remove this
-
-        # while true;do sleep 1;done
+        # set -o xtrace
 
         # mounted script from frontend configmap
         zitiLogin
@@ -116,7 +134,22 @@ data:
                 "{{ .Values.frontend.ingress.scheme }}://{token}.{{ .Values.dnsZone }}"
         fi
 
-        # while true;do sleep 1;done
+        # granted permission to read secrets in namespace by SA managed by this chart
+        if kubectl -n {{ .Release.Namespace }} get secret \
+            {{ include "zrok.fullname" . }}-ziggy-account-token &>/dev/null; then
+            echo "INFO: ziggy account enable token secret exists"
+        else
+            echo "INFO: ziggy account enable token secret does not exist, creating secret"
+            # create a default user account named "ziggy" and save the enable token in a Secret resource
+            zrok admin create account \
+                ziggy@{{ .Values.dnsZone }} \
+                {{ $ziggyPassword | b64dec | quote }} \
+            | xargs -I TOKEN kubectl -n {{ .Release.Namespace }} create secret generic \
+                {{ include "zrok.fullname" . }}-ziggy-account-token \
+                --from-literal=token=TOKEN
+            # xargs -r is NOT used here because this command must fail loudly if the account token was not created
+
+        fi
 
     frontend.yaml: |-