Always install remote access token for lookup service use.

educates · Aug 27, 2024 · 083964d · 083964d
1 parent 869db67
commit 083964d
Show file tree

Hide file tree

Showing 8 changed files with 49 additions and 53 deletions.
diff --git a/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml b/carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml
@@ -31,3 +31,5 @@ workshopBaseImagePullPolicy: #@ workshop_base_image_pull_policy
 #@ if data.values.lookupService.enabled:
 --- #@ template.replace(library.get("lookup-service").with_data_values(lookup_service_values(), plain=True).eval())
 #@ end
+
+--- #@ template.replace(library.get("lookup-service-token").with_data_values({}, plain=True).eval())
diff --git a/...fig/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml b/...fig/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml
@@ -0,0 +1,13 @@
+#! Cluster role bindings for the remote access.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: educates-remote-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: educates-remote-access
+subjects:
+- kind: ServiceAccount
+  name: remote-access
+  namespace: educates
diff --git a/...dle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml b/...dle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml
@@ -0,0 +1,26 @@
+#! Cluster role for the remote access clients.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: educates-remote-access
+rules:
+  - apiGroups:
+      - training.educates.dev
+    resources:
+      - trainingportals
+      - workshopenvironments
+      - workshopsessions
+      - workshopallocations
+      - workshops
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/..._lib/lookup-service/upstream/secrets.yaml → ...ytt_lib/lookup-service-token/secrets.yaml b/..._lib/lookup-service/upstream/secrets.yaml → ...ytt_lib/lookup-service-token/secrets.yaml
diff --git a/.../config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml b/.../config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml
@@ -0,0 +1,8 @@
+#! ServiceAccount for remote access clients.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: remote-access
+  namespace: educates
+  annotations:
+    kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret"
diff --git a/.../ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml b/.../ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml
@@ -1,4 +1,3 @@
----
 #! Cluster role bindings for the lookup service.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -12,17 +11,3 @@ subjects:
 - kind: ServiceAccount
   name: lookup-service
   namespace: educates
----
-#! Cluster role bindings for the remote access.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: educates-remote-access
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: educates-remote-access
-subjects:
-- kind: ServiceAccount
-  name: remote-access
-  namespace: educates
diff --git a/.../config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml b/.../config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml
@@ -1,4 +1,3 @@
----
 #! Cluster role for the lookup service application.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -73,30 +72,3 @@ rules:
       - get
       - list
       - watch
----
-#! Cluster role for the remote access clients.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: educates-remote-access
-rules:
-  - apiGroups:
-      - training.educates.dev
-    resources:
-      - trainingportals
-      - workshopenvironments
-      - workshopsessions
-      - workshopallocations
-      - workshops
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - get
-      - list
-      - watch
diff --git a/...nfig/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml b/...nfig/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml
@@ -1,16 +1,6 @@
----
 #! ServiceAccount to run the lookup service application.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: lookup-service
   namespace: educates
----
-#! ServiceAccount for remote access clients.
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: remote-access
-  namespace: educates
-  annotations:
-    kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret"