Merge pull request #565 from GrahamDumpleton/remote-access-token

Always add remote access token.

carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/08-lookup.yaml

@@ -31,3 +31,5 @@ workshopBaseImagePullPolicy: #@ workshop_base_image_pull_policy
 #@ if data.values.lookupService.enabled:
 --- #@ template.replace(library.get("lookup-service").with_data_values(lookup_service_values(), plain=True).eval())
 #@ end
+
+--- #@ template.replace(library.get("lookup-service-token").with_data_values({}, plain=True).eval())

carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterrolebindings.yaml

@@ -0,0 +1,13 @@
+#! Cluster role bindings for the remote access.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: educates-remote-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: educates-remote-access
+subjects:
+- kind: ServiceAccount
+  name: remote-access
+  namespace: educates

carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/clusterroles.yaml

@@ -0,0 +1,26 @@
+#! Cluster role for the remote access clients.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: educates-remote-access
+rules:
+  - apiGroups:
+      - training.educates.dev
+    resources:
+      - trainingportals
+      - workshopenvironments
+      - workshopsessions
+      - workshopallocations
+      - workshops
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch

carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service-token/serviceaccounts.yaml

@@ -0,0 +1,8 @@
+#! ServiceAccount for remote access clients.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: remote-access
+  namespace: educates
+  annotations:
+    kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret"

carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterrolebindings.yaml

@@ -1,4 +1,3 @@
----
 #! Cluster role bindings for the lookup service.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -12,17 +11,3 @@ subjects:
 - kind: ServiceAccount
   name: lookup-service
   namespace: educates
----
-#! Cluster role bindings for the remote access.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: educates-remote-access
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: educates-remote-access
-subjects:
-- kind: ServiceAccount
-  name: remote-access
-  namespace: educates

carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/clusterroles.yaml

@@ -1,4 +1,3 @@
----
 #! Cluster role for the lookup service application.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -73,30 +72,3 @@ rules:
       - get
       - list
       - watch
----
-#! Cluster role for the remote access clients.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: educates-remote-access
-rules:
-  - apiGroups:
-      - training.educates.dev
-    resources:
-      - trainingportals
-      - workshopenvironments
-      - workshopsessions
-      - workshopallocations
-      - workshops
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - get
-      - list
-      - watch

carvel-packages/installer/bundle/config/ytt/_ytt_lib/packages/educates/_ytt_lib/lookup-service/upstream/serviceaccounts.yaml

@@ -1,16 +1,6 @@
----
 #! ServiceAccount to run the lookup service application.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: lookup-service
   namespace: educates
----
-#! ServiceAccount for remote access clients.
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: remote-access
-  namespace: educates
-  annotations:
-    kapp.k14s.io/change-group: "educates/sa-with-separate-token-secret"

project-docs/custom-resources/training-portal.md

@@ -182,6 +182,19 @@ spec:
 
 When a name conflict occurs, the value of this label will override any value specified in the workshop default section, or the workshop definition.
 
+Labels for the training portal
+------------------------------
+
+As well as being able to provide additional labels for individual workshops, it is also possible to add labels to the training portal. These labels are distinct from labels added to metadata for Kubernetes resources and are specific to Educates. They can be used by a lookup service to identify the purpose of training portals.
+
+```yaml
+spec:
+  portal:
+    labels:
+    - name: environment
+      value: staging
+```
+
 Setting caps on individual users
 --------------------------------
 

project-docs/release-notes/version-3.0.0.md

@@ -41,6 +41,12 @@ New Features
   of the existing workshop session by looking up via the REST API, sessions
   which are active for the user.
 
+* An initial version of a new lookup service has been integrated which provide
+  a REST API for request workshop sessions which can sit in front of multiple
+  training portals, on the same cluster or across multiple clusters. We are
+  still fine tuning this so documentation isn't yet available, buf if interested
+  then ask about it on the Educates community Slack channel.
+
 Features Changed
 ----------------