diff --git a/Makefile.vars.mk b/Makefile.vars.mk index 60e67dec6..4ae39a2b4 100644 --- a/Makefile.vars.mk +++ b/Makefile.vars.mk @@ -46,7 +46,7 @@ KUBENT_IMAGE ?= ghcr.io/doitintl/kube-no-trouble:latest KUBENT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE) instance ?= defaults -test_instances = tests/defaults.yml tests/vshn-cloud.yml tests/vshn-managed.yml tests/control-plane.yml tests/service-cluster.yml tests/dev.yml +test_instances = tests/defaults.yml tests/vshn-cloud.yml tests/vshn-managed.yml tests/control-plane.yml tests/service-cluster.yml tests/dev.yml tests/exodev.yaml YAMLLINT_ARGS ?= --no-warnings YAMLLINT_CONFIG ?= .yamllint.yml diff --git a/component/config/vars.jsonnet b/component/config/vars.jsonnet index 32002c8ff..a6250e455 100644 --- a/component/config/vars.jsonnet +++ b/component/config/vars.jsonnet @@ -15,6 +15,7 @@ local isServiceCluster = !cms.controlPlaneCluster && cms.serviceCluster; isCMSValid: cms.controlPlaneCluster || cms.serviceCluster, isSingleOrControlPlaneCluster: isSingleCluster || isControlPlane, isSingleOrServiceCluster: isSingleCluster || isServiceCluster, + isExoscale: inv.parameters.facts.cloud == 'exoscale', assert (cms.controlPlaneKubeconfig == '' && isSingleCluster) || !isSingleCluster : 'clusterManagementSystem.controlPlaneKubeconfig should be empty for converged clusters', assert (cms.controlPlaneKubeconfig != '' && isServiceCluster) || (isSingleCluster || isControlPlane) : 'clusterManagementSystem.controlPlaneKubeconfig should not be empty for service clusters', } diff --git a/component/vshn_appcat_services.jsonnet b/component/vshn_appcat_services.jsonnet index 99bbf037e..78d2cb807 100644 --- a/component/vshn_appcat_services.jsonnet +++ b/component/vshn_appcat_services.jsonnet @@ -192,7 +192,7 @@ local vshn_appcat_service(name, serviceParams) = [if isOpenshift && std.objectHas(serviceParams, 'openshiftTemplate') then '21_openshift_template_%s_vshn' % name]: osTemplate, } else {}) - + if vars.isSingleOrServiceCluster then { + + if vars.isSingleOrServiceCluster && !vars.isExoscale then { ['22_prom_rule_sla_%s' % name]: promRuleSLA, [if params.services.vshn.enabled && serviceParams.enabled then 'sli_exporter/70_slo_vshn_%s' % name]: slos.Get('vshn-' + name), [if params.services.vshn.enabled && serviceParams.enabled then 'sli_exporter/80_slo_vshn_%s_ha' % name]: slos.Get('vshn-' + name + '-ha'), diff --git a/component/vshn_postgres.jsonnet b/component/vshn_postgres.jsonnet index 4ba065580..74907a4dc 100644 --- a/component/vshn_postgres.jsonnet +++ b/component/vshn_postgres.jsonnet @@ -315,7 +315,7 @@ local plansCM = kube.ConfigMap('vshnpostgresqlplans') + { [if isOpenshift then '11_stackgres_openshift_operator']: std.prune(stackgresOperator), [if isOpenshift then '12_stackgres_openshift_operator_netpol']: stackgresNetworkPolicy, } else {}) -+ if vars.isSingleOrServiceCluster then { ++ if vars.isSingleOrServiceCluster && !vars.isExoscale then { '22_prom_rule_sla_postgres': promRulePostgresSLA, [if params.slos.enabled && params.services.vshn.enabled && params.services.vshn.postgres.enabled then 'sli_exporter/70_slo_vshn_postgresql']: slos.Get('vshn-postgresql'), [if params.slos.enabled && params.services.vshn.enabled && params.services.vshn.postgres.enabled then 'sli_exporter/80_slo_vshn_postgresql_ha']: slos.Get('vshn-postgresql-ha'), diff --git a/component/vshn_redis.jsonnet b/component/vshn_redis.jsonnet index 0b6c322c8..413e9a20e 100644 --- a/component/vshn_redis.jsonnet +++ b/component/vshn_redis.jsonnet @@ -572,7 +572,7 @@ local plansCM = kube.ConfigMap('vshnredisplans') + { '21_composition_vshn_redis': composition, [if isOpenshift then '21_openshift_template_redis_vshn']: osTemplate, } else {}) -+ if vars.isSingleOrServiceCluster then { ++ if vars.isSingleOrServiceCluster && !vars.isExoscale then { '22_prom_rule_sla_redis': promRuleRedisSLA, [if params.services.vshn.enabled && params.services.vshn.redis.enabled then 'sli_exporter/70_slo_vshn_redis']: slos.Get('vshn-redis'), [if params.services.vshn.enabled && params.services.vshn.redis.enabled then 'sli_exporter/80_slo_vshn_redis_ha']: slos.Get('vshn-redis-ha'), diff --git a/tests/exodev.yml b/tests/exodev.yml new file mode 100644 index 000000000..0ece1b578 --- /dev/null +++ b/tests/exodev.yml @@ -0,0 +1,102 @@ +parameters: + kapitan: + dependencies: + - type: https + source: https://raw.githubusercontent.com/projectsyn/component-crossplane/v2.3.0/lib/crossplane.libsonnet + output_path: vendor/lib/crossplane.libsonnet + - type: https + source: https://raw.githubusercontent.com/appuio/component-openshift4-operators/v1.4.0/lib/openshift4-operators.libsonnet + output_path: vendor/lib/openshift4-operators.libsonnet + + facts: + cloud: exoscale #important, do not change, to test cloudscale use dev.yaml instead + sales_order: "10431" + appcat_dev: true + service_level: "zero" + #service_level: "guaranteed_availability" + + global: + appuio_metered_billing_zone_label_map: + c-green-test-1234: 'Kind - Local Test 0' + + crossplane: + namespace: syn-crossplane + + appcat: + grpcEndpoint: host.docker.internal:9443 + proxyFunction: false + + quotasEnabled: false + appuioManaged: false + billing: + salesOrder: ST10120 + vshn: + enableCronjobs: false + meteringRules: false + enableMockOrgInfo: true + instanceUOM: uom_uom_45_1e112771 + network_policies: + target_namespaces: + vshn-appuio-mimir: false + prometheus: + url: http://prometheus-operated.prometheus-system:9090/prometheus + cloudZone: ${global:appuio_metered_billing_zone_label_map:${cluster:name}} + + slos: + enabled: false + alertsEnabled: false + sli_exporter: + enableMaintenceObserver: false + sla_reporter: + enabled: true + slo_mimir_svc: kube-prometheus-kube-prome-prometheus + slo_mimir_namespace: prometheus-system + controller: + enabled: true + postgres: + enabled: false + providers: + exoscale: + enabled: true + cloudscale: + enabled: false + kubernetes: + enabled: true + helm: + enabled: true + minio: + enabled: false + + apiserver: + enabled: true + + services: + emailAlerting: + enabled: false + vshn: + enabled: false + mariadb: + enabled: false + keycloak: + enabled: false + nextcloud: + enabled: false + postgres: + enabled: false + redis: + enabled: false + minio: + enabled: false + + generic: + objectstorage: + enabled: true + + defaultComposition: exoscale + compositions: + exoscale: + enabled: true + cloudscale: + enabled: false + minio: + enabled: false diff --git a/tests/golden/exodev/appcat/appcat/10_appcat_backup_monitoring.yaml b/tests/golden/exodev/appcat/appcat/10_appcat_backup_monitoring.yaml new file mode 100644 index 000000000..5091bf310 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_appcat_backup_monitoring.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: appcat-backup + namespace: syn-appcat +spec: + groups: + - name: appcat-backup + rules: + - alert: AppCatBackupJobError + annotations: + description: The backup job {{ $labels.job_name }} in namespace {{ $labels.namespace + }} has failed. + runbook_url: https://kb.vshn.ch/app-catalog/how-tos/appcat/AppCatBackupJobError.html + summary: AppCat service backup failed. + expr: kube_job_failed{job_name=~".*backup.*", namespace=~"vshn-()-.*"} > + 0 + for: 1m + labels: + severity: warning + syn: 'true' + syn_component: appcat + syn_team: schedar diff --git a/tests/golden/exodev/appcat/appcat/10_appcat_ha_monitoring.yaml b/tests/golden/exodev/appcat/appcat/10_appcat_ha_monitoring.yaml new file mode 100644 index 000000000..fa893ae39 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_appcat_ha_monitoring.yaml @@ -0,0 +1,34 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: appcat-ha + namespace: syn-appcat +spec: + groups: + - name: appcat-ha + rules: + - alert: AppCatHighAvailableDeploymentWarning + annotations: + description: The deployment {{ $labels.deployment }} in namespace {{ $labels.namespace + }} has less replicas than expected. + runbook_url: https://kb.vshn.ch/app-catalog/how-tos/appcat/vshn/AppCatHighAvailableDeploymentWarning.html + summary: AppCat service instance has unavailable pods. + expr: kube_deployment_status_replicas{namespace=~"vshn-()-.*"} > 1 AND kube_deployment_status_replicas{namespace=~"vshn-()-.*"} + - kube_deployment_status_replicas_ready{namespace=~"vshn-()-.*"} > 0 + for: 1m + labels: + severity: warning + syn_team: schedar + - alert: AppCatHighAvailableStatefulsetWarning + annotations: + description: The statefulset {{ $labels.statefulset }} in namespace {{ + $labels.namespace }} has less replicas than expected. + runbook_url: https://kb.vshn.ch/app-catalog/how-tos/appcat/vshn/AppCatHighAvailableStatefulsetWarning.html + summary: AppCat service instance has unavailable pods. + expr: kube_statefulset_status_replicas{namespace=~"vshn-()-.*"} > 1 AND + kube_statefulset_status_replicas{namespace=~"vshn-()-.*"} - kube_statefulset_status_replicas_ready{namespace=~"vshn-()-.*"} + > 0 + for: 1m + labels: + severity: warning + syn_team: schedar diff --git a/tests/golden/exodev/appcat/appcat/10_appcat_namespace.yaml b/tests/golden/exodev/appcat/appcat/10_appcat_namespace.yaml new file mode 100644 index 000000000..1ae9b6251 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_appcat_namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + openshift.io/node-selector: node-role.kubernetes.io/infra= + resourcequota.appuio.io/organization-objects.jobs: '300' + labels: + name: syn-appcat + openshift.io/cluster-monitoring: 'true' + name: syn-appcat diff --git a/tests/golden/exodev/appcat/appcat/10_clusterrole_services_read.yaml b/tests/golden/exodev/appcat/appcat/10_clusterrole_services_read.yaml new file mode 100644 index 000000000..9fe5c9819 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_clusterrole_services_read.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: appcat-services-read + name: appcat:services:read +rules: + - apiGroups: + - '' + resources: + - pods + - pods/log + - pods/status + - events + - services + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods/portforward + verbs: + - get + - list + - create + - apiGroups: + - '' + - project.openshift.io + resources: + - projects + verbs: + - get diff --git a/tests/golden/exodev/appcat/appcat/10_clusterrole_view.yaml b/tests/golden/exodev/appcat/appcat/10_clusterrole_view.yaml new file mode 100644 index 000000000..6542862ef --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_clusterrole_view.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: appcat:browse +rules: + - apiGroups: + - apiextensions.crossplane.io + resources: + - compositions + - compositionrevisions + - compositeresourcedefinitions + verbs: + - get + - list + - watch diff --git a/tests/golden/exodev/appcat/appcat/10_function_appcat.yaml b/tests/golden/exodev/appcat/appcat/10_function_appcat.yaml new file mode 100644 index 000000000..5106b121c --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_function_appcat.yaml @@ -0,0 +1,11 @@ +apiVersion: pkg.crossplane.io/v1beta1 +kind: Function +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-40' + name: function-appcat +spec: + package: ghcr.io/vshn/appcat:v4.118.2-func + runtimeConfigRef: + name: function-appcat diff --git a/tests/golden/exodev/appcat/appcat/10_function_patch_and_transform.yaml b/tests/golden/exodev/appcat/appcat/10_function_patch_and_transform.yaml new file mode 100644 index 000000000..8a2833538 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_function_patch_and_transform.yaml @@ -0,0 +1,11 @@ +apiVersion: pkg.crossplane.io/v1beta1 +kind: Function +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-40' + name: function-patch-and-transform +spec: + package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.1.4 + runtimeConfigRef: + name: function-patch-and-transform diff --git a/tests/golden/exodev/appcat/appcat/10_mock_org_info.yaml b/tests/golden/exodev/appcat/appcat/10_mock_org_info.yaml new file mode 100644 index 000000000..eb7198e17 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_mock_org_info.yaml @@ -0,0 +1,22 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + annotations: {} + labels: + name: mock-org-info + name: mock-org-info + namespace: syn-appcat +spec: + groups: + - name: mock-org-info + rules: + - expr: '1' + labels: + organization: awesomekorp + sales_order: ST10120 + record: appuio_control_organization_info + - expr: '1' + labels: + organization: notvshn + sales_order: invalid + record: appuio_control_organization_info diff --git a/tests/golden/exodev/appcat/appcat/10_namespace_vshn_control.yaml b/tests/golden/exodev/appcat/appcat/10_namespace_vshn_control.yaml new file mode 100644 index 000000000..f949531bf --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_namespace_vshn_control.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: syn-appcat-control + name: syn-appcat-control diff --git a/tests/golden/exodev/appcat/appcat/10_provider_exoscale.yaml b/tests/golden/exodev/appcat/appcat/10_provider_exoscale.yaml new file mode 100644 index 000000000..5ac2ba84f --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_provider_exoscale.yaml @@ -0,0 +1,81 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-80' + labels: + name: provider-exoscale + name: provider-exoscale +spec: + package: ghcr.io/vshn/provider-exoscale:v0.11.5 + runtimeConfigRef: + name: provider-exoscale +--- +apiVersion: pkg.crossplane.io/v1beta1 +kind: DeploymentRuntimeConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-90' + name: provider-exoscale +spec: + deploymentTemplate: + spec: + selector: {} + template: + spec: + containers: + - name: package-runtime + securityContext: {} + securityContext: {} + serviceAccountName: provider-exoscale +--- +apiVersion: exoscale.crossplane.io/v1 +kind: ProviderConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-50' + labels: + name: exoscale + name: exoscale +spec: + credentials: + apiSecretRef: + name: exoscale-api-access + namespace: syn-crossplane + source: InjectedIdentity +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: provider-exoscale + name: provider-exoscale + namespace: syn-crossplane +--- +apiVersion: v1 +data: {} +kind: Secret +metadata: + annotations: {} + labels: + name: exoscale-api-access + name: exoscale-api-access + namespace: syn-crossplane +stringData: + EXOSCALE_API_KEY: t-silent-test-1234/c-green-test-1234/appcat/provider-exoscale/access-key + EXOSCALE_API_SECRET: t-silent-test-1234/c-green-test-1234/appcat/provider-exoscale/secret-key +type: Opaque +--- +apiVersion: v1 +kind: Namespace +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: syn-provider-exoscale-secrets + name: syn-provider-exoscale-secrets diff --git a/tests/golden/exodev/appcat/appcat/10_provider_helm.yaml b/tests/golden/exodev/appcat/appcat/10_provider_helm.yaml new file mode 100644 index 000000000..ce3e3caad --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_provider_helm.yaml @@ -0,0 +1,182 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-80' + labels: + name: provider-helm + name: provider-helm +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-helm:v0.18.1 + runtimeConfigRef: + name: provider-helm +--- +apiVersion: pkg.crossplane.io/v1beta1 +kind: DeploymentRuntimeConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-90' + name: provider-helm +spec: + deploymentTemplate: + spec: + selector: {} + template: + spec: + containers: + - name: package-runtime + securityContext: {} + securityContext: {} + serviceAccountName: provider-helm +--- +apiVersion: helm.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-50' + labels: + name: helm + name: helm +spec: + credentials: + source: InjectedIdentity +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: provider-helm + name: provider-helm + namespace: syn-crossplane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: crossplane-provider-provider-helm-system-custom + name: crossplane:provider:provider-helm:system:custom +rules: + - apiGroups: + - helm.crossplane.io + resources: + - '*' + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - '' + resources: + - namespaces + - serviceaccounts + - services + - persistentvolumeclaims + verbs: + - get + - list + - watch + - create + - watch + - patch + - update + - delete + - apiGroups: + - apps + resources: + - statefulsets + - deployments + verbs: + - get + - list + - watch + - create + - watch + - patch + - update + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - update + - patch + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: crossplane-provider-provider-helm-system-custom + name: crossplane:provider:provider-helm:system:custom +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane:provider:provider-helm:system:custom +subjects: + - kind: ServiceAccount + name: provider-helm + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/10_provider_kubernetes.yaml b/tests/golden/exodev/appcat/appcat/10_provider_kubernetes.yaml new file mode 100644 index 000000000..aad12dec6 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_provider_kubernetes.yaml @@ -0,0 +1,412 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-80' + labels: + name: provider-kubernetes + name: provider-kubernetes +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.14.1 + runtimeConfigRef: + name: provider-kubernetes +--- +apiVersion: pkg.crossplane.io/v1beta1 +kind: DeploymentRuntimeConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-90' + name: provider-kubernetes +spec: + deploymentTemplate: + spec: + selector: {} + template: + spec: + containers: + - args: + - --max-reconcile-rate=20 + name: package-runtime + securityContext: {} + securityContext: {} + serviceAccountName: provider-kubernetes +--- +apiVersion: kubernetes.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-50' + labels: + name: kubernetes + name: kubernetes +spec: + credentials: + source: InjectedIdentity +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: provider-kubernetes + name: provider-kubernetes + namespace: syn-crossplane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: crossplane-provider-provider-kubernetes-system-custom + name: crossplane:provider:provider-kubernetes:system:custom +rules: + - apiGroups: + - kubernetes.crossplane.io + resources: + - '*' + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - helm.crossplane.io + resources: + - releases + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - '' + - coordination.k8s.io + resources: + - secrets + - configmaps + - events + - leases + verbs: + - '*' + - apiGroups: + - '' + resources: + - namespaces + - serviceaccounts + - secrets + - pods + - pods/log + - pods/portforward + - pods/status + - pods/attach + - pods/exec + - services + verbs: + - get + - list + - watch + - create + - watch + - patch + - update + - delete + - apiGroups: + - apps + resources: + - statefulsets/scale + verbs: + - update + - patch + - apiGroups: + - apps + resources: + - statefulsets + - deployments + verbs: + - get + - delete + - watch + - list + - patch + - update + - create + - apiGroups: + - rbac.authorization.k8s.io + resourceNames: + - appcat:services:read + resources: + - clusterroles + verbs: + - bind + - apiGroups: + - stackgres.io + resources: + - sginstanceprofiles + - sgclusters + - sgpgconfigs + - sgobjectstorages + - sgbackups + - sgdbops + - sgpoolconfigs + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - appcat.vshn.io + resources: + - xobjectbuckets + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - cert-manager.io + resources: + - issuers + - certificates + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - vshn.appcat.vshn.io + resources: + - vshnpostgresqls + verbs: + - get + - update + - apiGroups: + - appcat.vshn.io + resources: + - objectbuckets + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - vshn.appcat.vshn.io + resources: + - vshnredis + verbs: + - get + - update + - apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + - podmonitors + - alertmanagerconfigs + - servicemonitors + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - k8up.io + resources: + - schedules + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - k8up.io + resources: + - snapshots + verbs: + - get + - apiGroups: + - minio.crossplane.io + resources: + - providerconfigs + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - appcat.vshn.io + resources: + - objectbuckets + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - postgresql.sql.crossplane.io + resources: + - providerconfigs + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - mysql.sql.crossplane.io + resources: + - providerconfigs + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - apiextensions.crossplane.io + resources: + - usages + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - update + - patch + - create + - delete + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - create + - watch + - patch + - update + - delete + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: crossplane-provider-provider-kubernetes-system-custom + name: crossplane:provider:provider-kubernetes:system:custom +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane:provider:provider-kubernetes:system:custom +subjects: + - kind: ServiceAccount + name: provider-kubernetes + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/10_runtimeconfig_function_appcat.yaml b/tests/golden/exodev/appcat/appcat/10_runtimeconfig_function_appcat.yaml new file mode 100644 index 000000000..cf5c9a43c --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_runtimeconfig_function_appcat.yaml @@ -0,0 +1,22 @@ +apiVersion: pkg.crossplane.io/v1beta1 +kind: DeploymentRuntimeConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-90' + name: function-appcat +spec: + deploymentTemplate: + spec: + selector: {} + template: + spec: + containers: + - args: + - functions + command: + - appcat + name: package-runtime + securityContext: {} + securityContext: {} + serviceAccountName: function-appcat diff --git a/tests/golden/exodev/appcat/appcat/10_runtimeconfig_function_pnt.yaml b/tests/golden/exodev/appcat/appcat/10_runtimeconfig_function_pnt.yaml new file mode 100644 index 000000000..eda8b3f86 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/10_runtimeconfig_function_pnt.yaml @@ -0,0 +1,18 @@ +apiVersion: pkg.crossplane.io/v1beta1 +kind: DeploymentRuntimeConfig +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-90' + name: function-patch-and-transform +spec: + deploymentTemplate: + spec: + selector: {} + template: + spec: + containers: + - name: package-runtime + securityContext: {} + securityContext: {} + serviceAccountName: function-patch-and-transform diff --git a/tests/golden/exodev/appcat/appcat/20_rbac_objectstorage.yaml b/tests/golden/exodev/appcat/appcat/20_rbac_objectstorage.yaml new file mode 100644 index 000000000..54803ba29 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/20_rbac_objectstorage.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: appcat:composite:xobjectbuckets.appcat.vshn.io:claim-view +rules: + - apiGroups: + - appcat.vshn.io + resources: + - objectbuckets + - objectbuckets/status + - objectbuckets/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + name: appcat:composite:xobjectbuckets.appcat.vshn.io:claim-edit +rules: + - apiGroups: + - appcat.vshn.io + resources: + - objectbuckets + - objectbuckets/status + - objectbuckets/finalizers + verbs: + - '*' diff --git a/tests/golden/exodev/appcat/appcat/20_serviceaccount_appcat.yaml b/tests/golden/exodev/appcat/appcat/20_serviceaccount_appcat.yaml new file mode 100644 index 000000000..7e1f34cb7 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/20_serviceaccount_appcat.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: function-appcat + name: function-appcat + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/20_serviceaccount_pnt.yaml b/tests/golden/exodev/appcat/appcat/20_serviceaccount_pnt.yaml new file mode 100644 index 000000000..b49af2f41 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/20_serviceaccount_pnt.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: function-patch-and-transform + name: function-patch-and-transform + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/20_xrd_objectstorage.yaml b/tests/golden/exodev/appcat/appcat/20_xrd_objectstorage.yaml new file mode 100644 index 000000000..255787165 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/20_xrd_objectstorage.yaml @@ -0,0 +1,238 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-70' + labels: + name: xobjectbuckets.appcat.vshn.io + name: xobjectbuckets.appcat.vshn.io +spec: + claimNames: + kind: ObjectBucket + plural: objectbuckets + connectionSecretKeys: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_REGION + - ENDPOINT + - ENDPOINT_URL + - BUCKET_NAME + defaultCompositionRef: + name: exoscale.objectbuckets.appcat.vshn.io + group: appcat.vshn.io + names: + kind: XObjectBucket + plural: xobjectbuckets + versions: + - additionalPrinterColumns: + - jsonPath: .spec.parameters.bucketName + name: Bucket Name + type: string + - jsonPath: .spec.parameters.region + name: Region + type: string + name: v1 + referenceable: true + schema: + openAPIV3Schema: + description: ObjectBucket is the API for creating S3 buckets. + properties: + spec: + description: ObjectBucketSpec defines the desired state of a ObjectBucket. + properties: + parameters: + description: ObjectBucketParameters are the configurable fields + of a ObjectBucket. + properties: + bucketDeletionPolicy: + default: DeleteAll + description: |- + BucketDeletionPolicy determines how buckets should be deleted when Bucket is deleted. + `DeleteIfEmpty` only deletes the bucket if the bucket is empty. + `DeleteAll` recursively deletes all objects in the bucket and then removes it. + type: string + bucketName: + description: |- + BucketName is the name of the bucket to create. + Cannot be changed after bucket is created. + Name must be acceptable by the S3 protocol, which follows RFC 1123. + Be aware that S3 providers may require a unique name across the platform or region. + type: string + region: + description: |- + Region is the name of the region where the bucket shall be created. + The region must be available in the S3 endpoint. + type: string + security: + default: {} + description: Security defines the security of a service + properties: + allowAllNamespaces: + default: false + description: AllowAllNamespaces allows the service to be + accessible from all namespaces, this supersedes the AllowedNamespaces + field + type: boolean + allowedGroups: + description: AllowedGroups defines a list of Groups that + have limited access to the instance namespace + items: + type: string + type: array + allowedNamespaces: + description: AllowedNamespaces defines a list of namespaces + from where the service can be reached in the claim namespace + items: + type: string + type: array + allowedUsers: + description: AllowedUsers defines a list of Users that have + limited access to instance namespace. + items: + type: string + type: array + deletionProtection: + default: true + description: DeletionProtection blocks the deletion of the + instance if it is enabled (enabled by default) + type: boolean + type: object + required: + - bucketName + - region + type: object + type: object + status: + description: ObjectBucketStatus reflects the observed state of a ObjectBucket. + properties: + accessUserConditions: + description: AccessUserConditions contains a copy of the claim's + underlying user account conditions. + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: Message is a human-readable message indicating + details about the transition. + maxLength: 32768 + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: Reason contains a programmatic identifier indicating + the reason for the condition's last transition. + maxLength: 1024 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: Type of condition. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + type: object + type: array + bucketConditions: + description: BucketConditions contains a copy of the claim's underlying + bucket conditions. + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: Message is a human-readable message indicating + details about the transition. + maxLength: 32768 + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: Reason contains a programmatic identifier indicating + the reason for the condition's last transition. + maxLength: 1024 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: Status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: Type of condition. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + type: object + type: array + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition + from one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true diff --git a/tests/golden/exodev/appcat/appcat/21_composition_objectstorage_exoscale.yaml b/tests/golden/exodev/appcat/appcat/21_composition_objectstorage_exoscale.yaml new file mode 100644 index 000000000..d2bbc7844 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/21_composition_objectstorage_exoscale.yaml @@ -0,0 +1,38 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: '-60' + metadata.appcat.vshn.io/description: S3 compatible object storage hosted by Exoscale + metadata.appcat.vshn.io/displayname: Exoscale Object Storage + metadata.appcat.vshn.io/end-user-docs-url: https://vs.hn/objstor + metadata.appcat.vshn.io/product-description: https://products.docs.vshn.ch/products/appcat/objectstorage.html + metadata.appcat.vshn.io/zone: de-fra-1, de-muc-1, at-vie-1, ch-gva-2, ch-dk-2, + bg-sof-1 + labels: + metadata.appcat.vshn.io/offered: 'true' + metadata.appcat.vshn.io/serviceID: exoscale-objectbucket + name: exoscale.objectbuckets.appcat.vshn.io + name: exoscale.objectbuckets.appcat.vshn.io +spec: + compositeTypeRef: + apiVersion: appcat.vshn.io/v1 + kind: XObjectBucket + mode: Pipeline + pipeline: + - functionRef: + name: function-appcat + input: + apiVersion: v1 + data: + providerConfig: exoscale + providerSecretNamespace: syn-provider-exoscale-secrets + serviceName: exoscalebucket + kind: ConfigMap + metadata: + labels: + name: xfn-config + name: xfn-config + step: exoscalebucket-func + writeConnectionSecretsToNamespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_api_server.yaml b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_api_server.yaml new file mode 100644 index 000000000..a68ec4628 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_api_server.yaml @@ -0,0 +1,120 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: appcat-apiserver +rules: + - apiGroups: + - '' + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.crossplane.io + resources: + - compositions + verbs: + - get + - list + - watch + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - k8up.io + resources: + - snapshots + verbs: + - get + - list + - watch + - apiGroups: + - stackgres.io + resources: + - sgbackups + verbs: + - get + - list + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - vshnmariadbs + verbs: + - get + - list + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - vshnnextclouds + verbs: + - get + - list + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - vshnpostgresqls + verbs: + - get + - list + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - vshnredis + verbs: + - get + - list + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnnextclouds + verbs: + - get + - list + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnpostgresqls + verbs: + - get + - list + - watch diff --git a/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_basic_users.yaml b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_basic_users.yaml new file mode 100644 index 000000000..8d8d9a9fa --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_basic_users.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + authorization.openshift.io/aggregate-to-basic-user: 'true' + name: system-test-distribution-aggregate-appcat-to-basic-user + name: system:test-distribution:aggregate-appcat-to-basic-user +rules: + - apiGroups: + - api.appcat.vshn.io + resources: + - appcats + verbs: + - get + - list + - watch diff --git a/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_binding.yaml b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_binding.yaml new file mode 100644 index 000000000..9bdbb6516 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_binding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: appcat-apiserver + name: appcat-apiserver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: appcat-apiserver +subjects: + - kind: ServiceAccount + name: appcat-apiserver + namespace: syn-appcat diff --git a/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_view.yaml b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_view.yaml new file mode 100644 index 000000000..eb7c58334 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/10_cluster_role_view.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + name: appcat-api-view + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: appcat:api:view +rules: + - apiGroups: + - api.appcat.vshn.io + resources: + - vshnpostgresbackups + - vshnredisbackups + - vshnmariadbbackups + verbs: + - get + - list + - watch diff --git a/tests/golden/exodev/appcat/appcat/apiserver/20_service_account.yaml b/tests/golden/exodev/appcat/appcat/apiserver/20_service_account.yaml new file mode 100644 index 000000000..90ed50b8d --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/20_service_account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: appcat-apiserver + namespace: syn-appcat diff --git a/tests/golden/exodev/appcat/appcat/apiserver/30_api_service.yaml b/tests/golden/exodev/appcat/appcat/apiserver/30_api_service.yaml new file mode 100644 index 000000000..c835c38fc --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/30_api_service.yaml @@ -0,0 +1,17 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + annotations: + cert-manager.io/inject-ca-from: syn-appcat/apiserver-certificate + labels: + api: appcat + apiserver: 'true' + name: v1.api.appcat.vshn.io +spec: + group: api.appcat.vshn.io + groupPriorityMinimum: 2000 + service: + name: appcat + namespace: syn-appcat + version: v1 + versionPriority: 10 diff --git a/tests/golden/exodev/appcat/appcat/apiserver/30_deployment.yaml b/tests/golden/exodev/appcat/appcat/apiserver/30_deployment.yaml new file mode 100644 index 000000000..3339eca51 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/30_deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + api: appcat + apiserver: 'true' + name: appcat-apiserver + namespace: syn-appcat +spec: + replicas: 2 + selector: + matchLabels: + api: appcat + apiserver: 'true' + template: + metadata: + labels: + api: appcat + apiserver: 'true' + spec: + containers: + - args: + - apiserver + - --audit-log-maxage=0 + - --audit-log-maxbackup=0 + - --audit-log-path=- + - --disable-admission-plugins=ValidatingAdmissionPolicy + - --enable-priority-and-fairness=false + - --secure-port=9443 + - --tls-cert-file=/apiserver.local.config/certificates/tls.crt + - --tls-private-key-file=/apiserver.local.config/certificates/tls.key + image: ghcr.io/vshn/appcat:v4.118.2 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: 9443 + scheme: HTTPS + initialDelaySeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + name: apiserver + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 9443 + scheme: HTTPS + initialDelaySeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - mountPath: /apiserver.local.config/certificates + name: apiserver-certs + readOnly: true + serviceAccountName: appcat-apiserver + volumes: + - name: apiserver-certs + secret: + secretName: appcat-apiserver-tls diff --git a/tests/golden/exodev/appcat/appcat/apiserver/30_service.yaml b/tests/golden/exodev/appcat/appcat/apiserver/30_service.yaml new file mode 100644 index 000000000..1d715c90b --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/30_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + api: appcat + apiserver: 'true' + name: appcat + namespace: syn-appcat +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + api: appcat + apiserver: 'true' diff --git a/tests/golden/exodev/appcat/appcat/apiserver/31_api_certificate.yaml b/tests/golden/exodev/appcat/appcat/apiserver/31_api_certificate.yaml new file mode 100644 index 000000000..df3281a16 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/31_api_certificate.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: apiserver-certificate + namespace: syn-appcat +spec: + dnsNames: + - appcat.syn-appcat.svc + duration: 87600h0m0s + issuerRef: + group: cert-manager.io + kind: Issuer + name: api-server-issuer + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + renewBefore: 2400h0m0s + secretName: appcat-apiserver-tls + subject: + organizations: + - vshn-appcat + usages: + - server auth + - client auth diff --git a/tests/golden/exodev/appcat/appcat/apiserver/31_api_issuer.yaml b/tests/golden/exodev/appcat/appcat/apiserver/31_api_issuer.yaml new file mode 100644 index 000000000..dc6fa5b97 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/apiserver/31_api_issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: api-server-issuer + namespace: syn-appcat +spec: + selfSigned: {} diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_cluster_role.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_cluster_role.yaml new file mode 100644 index 000000000..343bfb62e --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_cluster_role.yaml @@ -0,0 +1,229 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: appcat-controller +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - syn.tools + resources: + - compositemariadbdatabaseinstances + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - syn.tools + resources: + - compositemariadbinstances + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - syn.tools + resources: + - compositemariadbinstances/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - syn.tools + resources: + - compositemariadbuserinstances + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - syn.tools + resources: + - compositeredisinstances + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - syn.tools + resources: + - compositeredisinstances/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnkeycloaks + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnkeycloaks/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnmariadbs + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnmariadbs/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnminios + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnminios/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnnextclouds + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnnextclouds/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnpostgresqls + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnpostgresqls/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnredis + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - vshn.appcat.vshn.io + resources: + - xvshnredis/status + verbs: + - get + - list + - patch + - update + - watch diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_cluster_role_binding.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_cluster_role_binding.yaml new file mode 100644 index 000000000..1140d0032 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_cluster_role_binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: appcat-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: appcat-controller +subjects: + - kind: ServiceAccount + name: appcat-controller + namespace: syn-appcat diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_role_binding_leader_election.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_role_binding_leader_election.yaml new file mode 100644 index 000000000..5fee67fe4 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_role_binding_leader_election.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: appcat-controller-leader-election-rolebinding + namespace: syn-appcat +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: appcat-controller-leader-election-role +subjects: + - kind: ServiceAccount + name: appcat-controller + namespace: syn-appcat diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_role_leader_election.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_role_leader_election.yaml new file mode 100644 index 000000000..c9a9f8f4a --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_role_leader_election.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: appcat-controller-leader-election-role + namespace: syn-appcat +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_certificate.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_certificate.yaml new file mode 100644 index 000000000..795cdab8f --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_certificate.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: webhook-certificate + namespace: syn-appcat +spec: + dnsNames: + - webhook-service.syn-appcat.svc + duration: 87600h0m0s + issuerRef: + group: cert-manager.io + kind: Issuer + name: webhook-server-issuer + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + renewBefore: 2400h0m0s + secretName: webhook-cert + subject: + organizations: + - vshn-appcat + usages: + - server auth + - client auth diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_issuer.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_issuer.yaml new file mode 100644 index 000000000..990e0aca7 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_issuer.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: webhook-server-issuer + namespace: syn-appcat +spec: + selfSigned: {} diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_service.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_service.yaml new file mode 100644 index 000000000..baa4924f3 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhook_service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: syn-appcat +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9443 + selector: + appcat-controller: appcat-controller diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhooks.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhooks.yaml new file mode 100644 index 000000000..94e02addc --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/10_webhooks.yaml @@ -0,0 +1,316 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: syn-appcat/webhook-certificate + name: appcat-validation +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-mysql-sql-crossplane-io-v1alpha1-database + failurePolicy: Fail + name: databases.mysql.vshn.appcat.vshn.io + rules: + - apiGroups: + - mysql.sql.crossplane.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - databases + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-mysql-sql-crossplane-io-v1alpha1-grant + failurePolicy: Fail + name: grants.mysql.vshn.appcat.vshn.io + rules: + - apiGroups: + - mysql.sql.crossplane.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - grants + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate--v1-namespace + failurePolicy: Fail + name: namespace.vshn.appcat.vshn.io + objectSelector: + matchExpressions: + - key: appcat.vshn.io/ownerkind + operator: Exists + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - DELETE + resources: + - namespaces + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-appcat-vshn-io-v1-objectbucket + failurePolicy: Fail + name: objectbuckets.vshn.appcat.vshn.io + rules: + - apiGroups: + - appcat.vshn.io + apiVersions: + - v1 + operations: + - DELETE + resources: + - objectbuckets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-kubernetes-crossplane-io-v1alpha2-object + failurePolicy: Fail + name: objects.vshn.appcat.vshn.io + rules: + - apiGroups: + - kubernetes.crossplane.io + apiVersions: + - v1alpha2 + operations: + - DELETE + resources: + - objects + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-vshn-appcat-vshn-io-v1-vshnpostgresql + failurePolicy: Fail + name: postgresql.vshn.appcat.vshn.io + rules: + - apiGroups: + - vshn.appcat.vshn.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - vshnpostgresqls + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate--v1-persistentvolumeclaim + failurePolicy: Fail + name: pvc.vshn.appcat.vshn.io + namespaceSelector: + matchExpressions: + - key: appcat.vshn.io/ownerkind + operator: Exists + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - DELETE + resources: + - persistentvolumeclaims + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-helm-crossplane-io-v1beta1-release + failurePolicy: Fail + name: releases.vshn.appcat.vshn.io + rules: + - apiGroups: + - helm.crossplane.io + apiVersions: + - v1beta1 + operations: + - DELETE + resources: + - releases + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-mysql-sql-crossplane-io-v1alpha1-user + failurePolicy: Fail + name: users.mysql.vshn.appcat.vshn.io + rules: + - apiGroups: + - mysql.sql.crossplane.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - users + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-vshn-appcat-vshn-io-v1-vshnkeycloak + failurePolicy: Fail + name: vshnkeycloak.vshn.appcat.vshn.io + rules: + - apiGroups: + - vshn.appcat.vshn.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - vshnkeycloaks + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-vshn-appcat-vshn-io-v1-vshnmariadb + failurePolicy: Fail + name: vshnmariadb.vshn.appcat.vshn.io + rules: + - apiGroups: + - vshn.appcat.vshn.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - vshnmariadbs + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-vshn-appcat-vshn-io-v1-vshnminio + failurePolicy: Fail + name: vshnminio.vshn.appcat.vshn.io + rules: + - apiGroups: + - vshn.appcat.vshn.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - vshnminios + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-vshn-appcat-vshn-io-v1-vshnnextcloud + failurePolicy: Fail + name: vshnnextcloud.vshn.appcat.vshn.io + rules: + - apiGroups: + - vshn.appcat.vshn.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - vshnnextclouds + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-vshn-appcat-vshn-io-v1-vshnredis + failurePolicy: Fail + name: vshnredis.vshn.appcat.vshn.io + rules: + - apiGroups: + - vshn.appcat.vshn.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - vshnredis + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: syn-appcat + path: /validate-appcat-vshn-io-v1-xobjectbucket + failurePolicy: Fail + name: xobjectbuckets.vshn.appcat.vshn.io + objectSelector: + matchExpressions: + - key: appcat.vshn.io/ownerkind + operator: Exists + rules: + - apiGroups: + - appcat.vshn.io + apiVersions: + - v1 + operations: + - DELETE + resources: + - xobjectbuckets + sideEffects: None diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/20_service_account.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/20_service_account.yaml new file mode 100644 index 000000000..ca6203895 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/20_service_account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: appcat-controller + namespace: syn-appcat diff --git a/tests/golden/exodev/appcat/appcat/controllers/appcat/30_deployment.yaml b/tests/golden/exodev/appcat/appcat/controllers/appcat/30_deployment.yaml new file mode 100644 index 000000000..598d3ba75 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/controllers/appcat/30_deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + appcat-controller: appcat-controller + name: appcat-controller + namespace: syn-appcat +spec: + replicas: 2 + selector: + matchLabels: + appcat-controller: appcat-controller + template: + metadata: + labels: + appcat-controller: appcat-controller + spec: + containers: + - args: + - controller + - --leader-elect + - --quotas=false + env: + - name: PLANS_NAMESPACE + value: syn-appcat + image: ghcr.io/vshn/appcat:v4.118.2 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - mountPath: /etc/webhook/certs + name: webhook-certs + securityContext: + runAsNonRoot: true + serviceAccountName: appcat-controller + terminationGracePeriodSeconds: 10 + volumes: + - name: webhook-certs + secret: + secretName: webhook-cert diff --git a/tests/golden/exodev/appcat/appcat/controllers/sts-resizer/.keep.yaml b/tests/golden/exodev/appcat/appcat/controllers/sts-resizer/.keep.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/tests/golden/exodev/appcat/appcat/crossplane/00_namespace.yaml b/tests/golden/exodev/appcat/appcat/crossplane/00_namespace.yaml new file mode 100644 index 000000000..e957325c3 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/00_namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: node-role.kubernetes.io/infra= + labels: + name: syn-crossplane + name: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/crossplane/01_rbac_finalizer_clusterrole.yaml b/tests/golden/exodev/appcat/appcat/crossplane/01_rbac_finalizer_clusterrole.yaml new file mode 100644 index 000000000..8367a56c6 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/01_rbac_finalizer_clusterrole.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: crossplane-rbac-manager-finalizer + name: crossplane-rbac-manager:finalizer +rules: + - apiGroups: + - pkg.crossplane.io + - apiextensions.crossplane.io + resources: + - '*/finalizers' + verbs: + - '*' diff --git a/tests/golden/exodev/appcat/appcat/crossplane/01_rbac_finalizer_clusterrolebinding.yaml b/tests/golden/exodev/appcat/appcat/crossplane/01_rbac_finalizer_clusterrolebinding.yaml new file mode 100644 index 000000000..c9df16b6c --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/01_rbac_finalizer_clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: {} + labels: + name: crossplane-rbac-manager-finalizer + name: crossplane-rbac-manager:finalizer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane-rbac-manager:finalizer +subjects: + - kind: ServiceAccount + name: rbac-manager + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/clusterrole.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/clusterrole.yaml new file mode 100644 index 000000000..d5328416e --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/clusterrole.yaml @@ -0,0 +1,121 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-crossplane: 'true' +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + crossplane.io/scope: system + helm.sh/chart: crossplane-1.16.0 + rbac.crossplane.io/aggregate-to-crossplane: 'true' + name: crossplane:system:aggregate-to-crossplane +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - create + - update + - patch + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + - customresourcedefinitions/status + verbs: + - '*' + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - serviceaccounts + - services + verbs: + - '*' + - apiGroups: + - apiextensions.crossplane.io + - pkg.crossplane.io + - secrets.crossplane.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - list + - create + - update + - patch + - delete + - watch + - apiGroups: + - '' + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - create + - update + - patch + - watch + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - create + - update + - patch + - watch + - delete diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/clusterrolebinding.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..31009b957 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/clusterrolebinding.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane +subjects: + - kind: ServiceAccount + name: crossplane + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/deployment.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/deployment.yaml new file mode 100644 index 000000000..ede288fa6 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/deployment.yaml @@ -0,0 +1,174 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + release: appcat + name: crossplane + namespace: syn-crossplane +spec: + replicas: 1 + selector: + matchLabels: + app: crossplane + release: appcat + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + release: appcat + spec: + containers: + - args: + - core + - start + - --enable-environment-configs + - --enable-usages + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: crossplane + divisor: '1' + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: crossplane + divisor: '1' + resource: limits.memory + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: LEADER_ELECTION + value: 'true' + - name: TLS_SERVER_SECRET_NAME + value: crossplane-tls-server + - name: TLS_SERVER_CERTS_DIR + value: /tls/server + - name: TLS_CLIENT_SECRET_NAME + value: crossplane-tls-client + - name: TLS_CLIENT_CERTS_DIR + value: /tls/client + image: docker.io/crossplane/crossplane:v1.16.0 + imagePullPolicy: IfNotPresent + name: crossplane + ports: + - containerPort: 8081 + name: readyz + - containerPort: 9443 + name: webhooks + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 10m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsUser: 65532 + startupProbe: + failureThreshold: 30 + periodSeconds: 2 + tcpSocket: + port: readyz + volumeMounts: + - mountPath: /cache + name: package-cache + - mountPath: /tls/server + name: tls-server-certs + - mountPath: /tls/client + name: tls-client-certs + hostNetwork: false + initContainers: + - args: + - core + - init + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: crossplane-init + divisor: '1' + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: crossplane-init + divisor: '1' + resource: limits.memory + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: WEBHOOK_SERVICE_NAME + value: crossplane-webhooks + - name: WEBHOOK_SERVICE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: WEBHOOK_SERVICE_PORT + value: '9443' + - name: TLS_CA_SECRET_NAME + value: crossplane-root-ca + - name: TLS_SERVER_SECRET_NAME + value: crossplane-tls-server + - name: TLS_CLIENT_SECRET_NAME + value: crossplane-tls-client + image: docker.io/crossplane/crossplane:v1.16.0 + imagePullPolicy: IfNotPresent + name: crossplane-init + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 10m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsUser: 65532 + serviceAccountName: crossplane + volumes: + - emptyDir: + medium: null + sizeLimit: 20Mi + name: package-cache + - name: tls-server-certs + secret: + secretName: crossplane-tls-server + - name: tls-client-certs + secret: + secretName: crossplane-tls-client diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml new file mode 100644 index 000000000..88ed9d4d7 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml @@ -0,0 +1,19 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-allowed-provider-permissions: 'true' +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane:allowed-provider-permissions diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-clusterrole.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-clusterrole.yaml new file mode 100644 index 000000000..8a18bb62e --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-clusterrole.yaml @@ -0,0 +1,122 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane-rbac-manager +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - namespaces/finalizers + verbs: + - update + - apiGroups: + - apiextensions.crossplane.io + resources: + - compositeresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.crossplane.io + resources: + - compositeresourcedefinitions/finalizers + verbs: + - update + - apiGroups: + - pkg.crossplane.io + resources: + - providerrevisions + verbs: + - get + - list + - watch + - apiGroups: + - pkg.crossplane.io + resources: + - providerrevisions/finalizers + verbs: + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - roles + verbs: + - get + - list + - watch + - create + - update + - patch + - escalate + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - '*' + - apiGroups: + - '' + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - create + - update + - patch + - watch + - delete diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml new file mode 100644 index 000000000..7871614c0 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-clusterrolebinding.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane-rbac-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane-rbac-manager +subjects: + - kind: ServiceAccount + name: rbac-manager + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-deployment.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-deployment.yaml new file mode 100644 index 000000000..5129f5b5b --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-deployment.yaml @@ -0,0 +1,106 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane-rbac-manager + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + release: appcat + name: crossplane-rbac-manager + namespace: syn-crossplane +spec: + replicas: 1 + selector: + matchLabels: + app: crossplane-rbac-manager + release: appcat + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: crossplane-rbac-manager + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + release: appcat + spec: + containers: + - args: + - rbac + - start + - --provider-clusterrole=crossplane:allowed-provider-permissions + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: crossplane + divisor: '1' + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: crossplane + divisor: '1' + resource: limits.memory + - name: LEADER_ELECTION + value: 'true' + image: docker.io/crossplane/crossplane:v1.16.0 + imagePullPolicy: IfNotPresent + name: crossplane + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 10m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsUser: 65532 + initContainers: + - args: + - rbac + - init + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: crossplane-init + divisor: '1' + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: crossplane-init + divisor: '1' + resource: limits.memory + image: docker.io/crossplane/crossplane:v1.16.0 + imagePullPolicy: IfNotPresent + name: crossplane-init + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 10m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsUser: 65532 + serviceAccountName: rbac-manager diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml new file mode 100644 index 000000000..8b5ccac3d --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-managed-clusterroles.yaml @@ -0,0 +1,308 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-admin: 'true' +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane-admin +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-edit: 'true' +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane-edit +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-view: 'true' +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane-view +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-browse: 'true' +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane-browse +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + rbac.crossplane.io/aggregate-to-admin: 'true' + name: crossplane:aggregate-to-admin +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + - namespaces + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - roles + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - rolebindings + verbs: + - '*' + - apiGroups: + - apiextensions.crossplane.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - pkg.crossplane.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + rbac.crossplane.io/aggregate-to-edit: 'true' + name: crossplane:aggregate-to-edit +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.crossplane.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - pkg.crossplane.io + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + rbac.crossplane.io/aggregate-to-view: 'true' + name: crossplane:aggregate-to-view +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.crossplane.io + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - pkg.crossplane.io + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + rbac.crossplane.io/aggregate-to-browse: 'true' + name: crossplane:aggregate-to-browse +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.crossplane.io + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane-admin +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: crossplane:masters diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml new file mode 100644 index 000000000..943d86a8c --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/rbac-manager-serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: rbac-manager + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/secret.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/secret.yaml new file mode 100644 index 000000000..e0855ffcb --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/secret.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: crossplane-root-ca + namespace: syn-crossplane +type: Opaque +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: crossplane-tls-server + namespace: syn-crossplane +type: Opaque +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + name: crossplane-tls-client + namespace: syn-crossplane +type: Opaque diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/service.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/service.yaml new file mode 100644 index 000000000..e949f31fd --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/service.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + release: appcat + name: crossplane-webhooks + namespace: syn-crossplane +spec: + ports: + - port: 9443 + protocol: TCP + targetPort: 9443 + selector: + app: crossplane + release: appcat diff --git a/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/serviceaccount.yaml b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/serviceaccount.yaml new file mode 100644 index 000000000..13f97adc4 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/crossplane/helmchart/crossplane/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-100' + labels: + app: crossplane + app.kubernetes.io/component: cloud-infrastructure-controller + app.kubernetes.io/instance: appcat + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: crossplane + app.kubernetes.io/part-of: crossplane + app.kubernetes.io/version: 1.16.0 + helm.sh/chart: crossplane-1.16.0 + name: crossplane + namespace: syn-crossplane diff --git a/tests/golden/exodev/appcat/appcat/sla_reporter/01_cronjob.yaml b/tests/golden/exodev/appcat/appcat/sla_reporter/01_cronjob.yaml new file mode 100644 index 000000000..d3278541d --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/sla_reporter/01_cronjob.yaml @@ -0,0 +1,48 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: appcat-sla-reporter + name: appcat-sla-reporter + namespace: appcat-slos +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: appcat-sla-reporter + spec: + containers: + - args: + - slareport + - --previousmonth + - --mimirorg + - appuio-managed-openshift-metrics + env: + - name: PROM_URL + value: http://kube-prometheus-kube-prome-prometheus.prometheus-system.svc.cluster.local:8080/prometheus + envFrom: + - secretRef: + name: appcat-sla-reports-creds + image: ghcr.io/vshn/appcat:v4.118.2 + name: sla-reporter + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 10m + memory: 200Mi + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + terminationGracePeriodSeconds: 30 + volumes: [] + schedule: 0 9 1 * * + successfulJobsHistoryLimit: 0 diff --git a/tests/golden/exodev/appcat/appcat/sla_reporter/02_object_bucket.yaml b/tests/golden/exodev/appcat/appcat/sla_reporter/02_object_bucket.yaml new file mode 100644 index 000000000..7724f18cc --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/sla_reporter/02_object_bucket.yaml @@ -0,0 +1,14 @@ +apiVersion: appcat.vshn.io/v1 +kind: ObjectBucket +metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false,SkipDryRunOnMissingResource=true + name: appcat-sla-reports + namespace: appcat-slos +spec: + parameters: + bucketName: appcat-sla-reports + region: lpg + writeConnectionSecretToRef: + name: appcat-sla-reports-creds diff --git a/tests/golden/exodev/appcat/appcat/sla_reporter/03_network_policy.yaml b/tests/golden/exodev/appcat/appcat/sla_reporter/03_network_policy.yaml new file mode 100644 index 000000000..e17b42531 --- /dev/null +++ b/tests/golden/exodev/appcat/appcat/sla_reporter/03_network_policy.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + name: allow-from-appcat-slos + name: allow-from-appcat-slos + namespace: prometheus-system +spec: + egress: [] + ingress: + - from: + - namespaceSelector: + matchLabels: + name: appcat-slos + podSelector: {} + policyTypes: + - Ingress diff --git a/tests/golden/exodev/appcat/appcat/statefuleset-resize-controller.yaml b/tests/golden/exodev/appcat/appcat/statefuleset-resize-controller.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/tests/golden/exodev/appcat/apps/appcat.yaml b/tests/golden/exodev/appcat/apps/appcat.yaml new file mode 100644 index 000000000..3e0571518 --- /dev/null +++ b/tests/golden/exodev/appcat/apps/appcat.yaml @@ -0,0 +1,12 @@ +spec: + ignoreDifferences: + - group: admissionregistration.k8s.io + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle + kind: ValidatingWebhookConfiguration + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - ServerSideApply=true