Simplify Helm install (#492)

* Update README.md

* add and build infra omni chart

* infer registry endpoint from kubernetes services

- add label 'infrahq.com/flavor'

* mount secrets as files

* fix mounts when mount names

* include registry by default

* typo

* s/flavor/component/

* update NOTES.txt

* Update README.md

* remove registry enabled flag

* more readme updates

* remove unused files

* s/Secret/ApiKey/

- verify api key length

* move helm/charts/registry to helm/charts/infra

* readme

* update dev workflow

* fix helm lint

* makefile: switch docker-desktop namespace

* typo

* readme

* kubernetes.md: infrahq namespace

* update helm.md

* more doco

.github/workflows/test.yml

@@ -18,9 +18,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - uses: Azure/setup-helm@v1
-    - run: |
-        helm lint helm/charts/engine/
-        helm lint helm/charts/registry/
+    - run: make helm/lint tag=0.0.0-development
   go-lint:
     runs-on: ubuntu-latest
     steps:

Makefile

@@ -1,4 +1,4 @@
-tag := $(shell git describe --tags)
+tag := $(patsubst v%,%,$(shell git describe --tags))
 
 generate:
 	go generate ./...
@@ -14,15 +14,31 @@ test-all:
 	go test ./...
 
 .PHONY: helm
-helm:
-	helm package -d ./helm helm/charts/registry helm/charts/engine --version $(tag:v%=%) --app-version $(tag:v%=%)
-	helm repo index ./helm
+helm: helm/engine.tgz helm/infra.tgz
+	helm repo index helm
+
+helm/%.tgz: helm/charts/%
+	helm package -d $(@D) $< --version $(tag) --app-version $(tag)
+
+helm/charts/infra/charts/:
+	mkdir -p $@
+
+helm/charts/infra/charts/%.tgz: helm/%.tgz helm/charts/infra/charts/
+	ln -sf $(realpath $<) $(@D)
+
+helm/infra.tgz: helm/charts/infra/charts/engine-$(tag).tgz
+
+helm/lint: helm
+	helm lint helm/charts/*
+
+helm/clean:
+	$(RM) -r helm/*.tgz helm/charts/infra/charts
 
 .PHONY: docs
 docs:
 	go run ./internal/docgen
 
-clean:
+clean: helm/clean
 	$(RM) -r dist
 
 .PHONY: openapi
@@ -41,39 +57,46 @@ goreleaser:
 build: goreleaser
 	goreleaser build --snapshot --rm-dist
 
+export IMAGE_TAG=0.0.0-development
+
 build/docker:
-	docker build --build-arg TELEMETRY_WRITE_KEY=${TELEMETRY_WRITE_KEY} --build-arg CRASH_REPORTING_DSN=${CRASH_REPORTING_DSN} . -t infrahq/infra:0.0.0-development
+	docker build --build-arg TELEMETRY_WRITE_KEY=${TELEMETRY_WRITE_KEY} --build-arg CRASH_REPORTING_DSN=${CRASH_REPORTING_DSN} . -t infrahq/infra:$(IMAGE_TAG)
+
+export OKTA_SECRET=infra-registry-okta
+
+%.yaml: %.yaml.in
+	envsubst <$< >$@
+
+docker-desktop.yaml: docker-desktop.yaml.in
+
+NS=$(patsubst %,-n %,$(NAMESPACE))
+VALUES=docker-desktop.yaml
 
-dev:
+dev: $(VALUES) helm build/docker
 	# docker desktop setup for the dev environment
 	# create a token and get the token secret from:
 	# https://dev-02708987-admin.okta.com/admin/access/api/tokens
 	# get client secret from:
 	# https://dev-02708987-admin.okta.com/admin/app/oidc_client/instance/0oapn0qwiQPiMIyR35d6/#tab-general
 	# create the required secret with:
-	# kubectl create secret generic infra-registry-okta -n infrahq --from-literal=clientSecret=$$OKTA_CLIENT_SECRET --from-literal=apiToken=$$OKTA_API_TOKEN
+	# kubectl $(NS) create secret generic $(OKTA_SECRET) --from-literal=clientSecret=$$OKTA_CLIENT_SECRET --from-literal=apiToken=$$OKTA_API_TOKEN
 
 	kubectl config use-context docker-desktop
-	make build/docker
-	helm upgrade --install infra-registry ./helm/charts/registry --namespace infrahq --create-namespace --set image.pullPolicy=Never --set image.tag=0.0.0-development --set-file config=./infra.yaml --set logLevel=debug
-	kubectl config set-context --current --namespace=infrahq
-	kubectl wait --for=condition=available --timeout=600s deployment/infra-registry --namespace infrahq
-	helm upgrade --install infra-engine ./helm/charts/engine --namespace infrahq --set image.pullPolicy=Never --set image.tag=0.0.0-development --set name=dd --set registry=infra-registry --set apiKey=$$(kubectl get secrets/infra-registry --template={{.data.engineApiKey}} --namespace infrahq | base64 -D) --set service.ports[0].port=8443 --set service.ports[0].name=https --set service.ports[0].targetPort=443 --set logLevel=debug
-	kubectl rollout restart deployment/infra-registry --namespace infrahq
-	kubectl rollout restart deployment/infra-engine --namespace infrahq
-	ROOT_TOKEN=$$(kubectl --namespace infrahq get secrets infra-registry -o jsonpath='{.data.rootApiKey}' | base64 -D); \
-    echo Root token is $$ROOT_TOKEN
+	kubectl $(NS) get secrets $(INFRA_REGISTRY_OKTA) >/dev/null
+	helm $(NS) upgrade --install --create-namespace $(patsubst %,-f %,$(VALUES)) --wait infra helm/charts/infra
+	@[ -z "$(NS)" ] || kubectl config set-context --current --namespace=$(NAMESPACE)
+	@echo Root token is $$(kubectl $(NS) get secrets infra-registry -o jsonpath='{.data.root-key}' | base64 --decode)
 
 dev/clean:
 	kubectl config use-context docker-desktop
-	helm uninstall --namespace infrahq infra-registry || true
-	helm uninstall --namespace infrahq infra-engine || true
+	helm $(NS) uninstall infra || true
+	helm $(NS) uninstall infra-engine || true
 
 release: goreleaser
 	goreleaser release -f .goreleaser.yml --rm-dist
 
 release/docker:
-	docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg BUILDVERSION=$(tag:v%=%) --build-arg TELEMETRY_WRITE_KEY=${TELEMETRY_WRITE_KEY} --build-arg CRASH_REPORTING_DSN=${CRASH_REPORTING_DSN} . -t infrahq/infra:$(tag:v%=%) -t infrahq/infra
+	docker buildx build --push --platform linux/amd64,linux/arm64 --build-arg BUILDVERSION=$(tag) --build-arg TELEMETRY_WRITE_KEY=${TELEMETRY_WRITE_KEY} --build-arg CRASH_REPORTING_DSN=${CRASH_REPORTING_DSN} . -t infrahq/infra:$(tag) -t infrahq/infra
 
 release/helm: helm
 	aws s3 --region us-east-2 sync helm s3://helm.infrahq.com --exclude "*" --include "index.yaml" --include "*.tgz"

README.md

@@ -4,69 +4,76 @@
 
 ## Introduction
 
-Infra is **identity and access management** for Kubernetes. Provide any user fine-grained access to Kubernetes clusters via existing identity providers such as Okta, Google Accounts, Azure Active Directory and more.
+Infra is **identity and access management** for your cloud infrastructure. It puts the power of fine-grained access to infrastructure like Kubernetes in your hands via existing identity providers such as Okta, Google Accounts, Azure Active Directory and more.
 
 **Features**:
 * Single-command access: `infra login`
-* No more out-of-sync kubeconfig files
+* No more out-of-sync user configurations
 * Fine-grained role assignment
 * Onboard and offboard users via Okta (Azure AD, Google, GitHub coming soon)
 * Audit logs for who did what, when (coming soon)
 
 ## Quickstart
 
-### Install Infra Registry
-
 **Prerequisites:**
-* [Helm](https://helm.sh/)
+* [Helm](https://helm.sh/) (v3+)
+* [Kubernetes](https://kubernetes.io/) (v1.14+)
+
+### Install Infra
 
 ```bash
-helm repo add infrahq https://helm.infrahq.com
+helm repo add infrahq https://helm.infrahq.com/
 helm repo update
-helm install infra-registry infrahq/registry --namespace infrahq --create-namespace
+helm install -n infrahq --create-namespace infra infrahq/infra
 ```
 
-### Connect Kubernetes cluster to Infra Registry
+See [Helm Chart reference](./helm.md) for a complete list of options configurable through Helm.
 
-Once the load balancer for the Infra Registry is available, run the following commands to retrieve Infra Registry information and its engine API key:
+### Configure Infra
 
-```bash
-INFRA_REGISTRY=$(kubectl --namespace infrahq get services infra-registry -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']}")
-ENGINE_API_KEY=$(kubectl --namespace infrahq get secrets infra-registry -o jsonpath='{.data.engineApiKey}' | base64 -d)
-```
+This example configuration uses Okta and grants the "Everyone" group read-only access to the default namespace. You will need:
 
-Then, install Infra Engine in the Kubernetes context of the cluster you want to connect to Infra Registry:
-
-```bash
-helm install infra-engine infrahq/engine --namespace infrahq --set registry=$INFRA_REGISTRY --set apiKey=$ENGINE_API_KEY
-```
+* Okta domain
+* Okta client ID
+* Okta client secret
+* Okta API token
+* Cluster name
 
-### Connect an identity provider
+See [Okta](./docs/sources/okta.md) for detailed Okta configuration steps.
 
-First, add Okta via an `infra.yaml` configuration file:
-
-* [Okta configuration guide](./docs/okta.md)
-
-Next, add the following to your `infra.yaml` configuration file to grant everyone view access to the cluster:
+Cluster name is auto-discovered or can be set statically in Helm with `engine.name`.
 
 ```yaml
-groups:
-  - name: Everyone    # example group
-    source: okta
-    roles:
-      - name: view
-        kind: cluster-role
-        destinations:
-          - name: <cluster name>
+# example values.yaml
+---
+config:
+  sources:
+    - kind: okta
+      domain: <Okta domain>
+      clientId: <Okta client ID>
+      clientSecret: <Okta client secret>
+      apiToken: <Okta API token>
+  groups:
+    - name: Everyone
+      roles:
+          - kind: role
+            name: viewer
+            destinations:
+              - name: <cluster name>
+                namespace: default
 ```
 
-Then, update your Infra Registry with this new config:
+See the [Configuration reference](./docs/configuration.md) for a complete list of configurable options.
 
-```bash
-helm upgrade infra-registry infrahq/registry --namespace infrahq --set-file config=./infra.yaml
+### Update Infra With Your Configuration
+
+```
+helm repo update
+helm upgrade -n infrahq -f values.yaml infra infrahq/infra
 ```
 
 ### Install Infra CLI
+
 <details>
   <summary><strong>Debian, Ubuntu</strong></summary>
 
@@ -103,46 +110,79 @@ helm upgrade infra-registry infrahq/registry --namespace infrahq --set-file conf
   ```
 </details>
 
-### Access infrastructure
+### Access Your Infrastructure
 
-```bash
-infra login <your infra registry endpoint>
-```
+First you need to get your Infra endpoint. This step may be different depending on your service type.
 
-After login, Infra will automatically synchronize all the Kubernetes clusters configured for the user into their default kubeconfig file.
+<details>
+  <summary><strong>Ingress</strong></summary>
 
-That's it! You now have access to your cluster via Okta. To list all the clusters, run `infra list`.
+  ```
+  INFRA_HOST=$(kubectl -n infrahq get ingress -l infrahq.com/component=registry -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")
+  ```
+</details>
 
-## Upgrading Infra
+<details>
+  <summary><strong>LoadBalancer</strong></summary>
 
-First, update the Helm repo:
+  Note: It may take a few minutes for the LoadBalancer endpoint to be assigned. You can watch the status of the service with:
 
-```bash
-helm repo update
-```
+  ```
+  kubectl -n infrahq get services -l infrahq.com/component=registry -w
+  ```
 
-Then, update the Infra Registry
+  ```
+  INFRA_HOST=$(kubectl -n infrahq get services -l infrahq.com/component=registry -o jsonpath="{.items[].status.loadBalancer.ingress[*]['ip', 'hostname']}")
+  ```
+</details>
 
-```bash
-helm upgrade infra-registry infrahq/registry --namespace infrahq
-```
+<details>
+  <summary><strong>ClusterIP</strong></summary>
 
-Lastly, update any Infra Engines:
+  ```
+  CONTAINER_PORT=$(kubectl -n infrahq get services -l infrahq.com/component=registry -o jsonpath="{.items[].spec.ports[0].port}")
+  kubectl -n infrahq port-forward service/infra-registry 8080:$CONTAINER_PORT &
+  INFRA_HOST='localhost:8080'
+  ```
+</details>
+
+Once you have your infra host, it is time to login.
 
 ```bash
-helm upgrade infra-engine infrahq/engine --namespace infrahq
+infra login $INFRA_HOST
 ```
 
+Follow the instructions on screen to complete the login process.
+
+See the [Infra CLI reference](./docs/cli.md) for more ways to use `infra`.
+
 ## Next Steps
-* [Update roles](./docs/permissions.md)
-* [Add a custom domain](./docs/domain.md) to make it easy for sharing with your team
-* [Connect more Kubernetes clusters](./docs/connect.md)
 
-## Documentation
-* [Okta Reference](./docs/okta.md)
+### Connect Additional Identity Sources
+
+* [Sources](./docs/sources)
+  * [Okta](./docs/sources/okta.md)
+
+### Connect Additional Infrastructure Destinations
+
+* [Destinations](./docs/destinations)
+  * [Kubernetes](./docs/destinations/kubernetes.md)
+
+### Upgrade Infra
+
+```
+helm repo update
+helm upgrade -f values.yaml infra infrahq.com/infra
+```
+
+## [Security](./docs/security.md)
+
+We take security very seriously. If you have found a security vulnerability please disclose it privately to us by email via [security@infrahq.com](mailto:security@infrahq.com).
+
+## [Documentation](./docs)
+
+* [API Reference](./docs/api.md)
+* [Infra CLI Reference](./docs/cli.md)
 * [Helm Chart Reference](./docs/helm.md)
-* [CLI Reference](./docs/cli.md)
 * [Contributing](./docs/contributing.md)
-
-## Security
-We take security very seriously. If you have found a security vulnerability please disclose it privately to us by email via [security@infrahq.com](mailto:security@infrahq.com)
+* [License](./LICENSE)

docker-desktop.yaml.in

@@ -0,0 +1,22 @@
+image:
+  tag: $IMAGE_TAG
+  pullPolicy: Never
+
+  config:
+    sources:
+      - kind: okta
+        domain: $OKTA_DOMAIN
+        clientId: $OKTA_CLIENT_ID
+        clientSecret: $OKTA_SECRET/clientSecret
+        apiToken: $OKTA_SECRET/apiToken
+
+engine:
+  name: docker-desktop
+  image:
+    tag: $IMAGE_TAG
+    pullPolicy: Never
+  service:
+    ports:
+      - name: https
+        port: 8443
+        targetPort: 443