From 155d12091e34208bdda00a0dbbfa578fabe6133b Mon Sep 17 00:00:00 2001 From: Angel Kafazov Date: Wed, 22 Jan 2025 15:48:09 +0200 Subject: [PATCH] update snapshot On-behalf-of: @SAP angel.kafazov@sap.com Signed-off-by: Angel Kafazov --- .../__snapshot__/deployment_test.yaml.snap | 170 ++++++++++++++++-- 1 file changed, 158 insertions(+), 12 deletions(-) diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap index 9fd7469e4..db47f55aa 100644 --- a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -278,6 +278,8 @@ operator match the snapshot: apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -286,7 +288,8 @@ operator match the snapshot: service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -296,7 +299,7 @@ operator match the snapshot: - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -304,7 +307,7 @@ operator match the snapshot: - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -322,7 +325,7 @@ operator match the snapshot: - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs image: ghcr.io/openmfp/account-operator:0.0.0 @@ -340,6 +343,9 @@ operator match the snapshot: - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -364,7 +370,10 @@ operator match the snapshot: path: /readyz port: 8081 periodSeconds: 10 - volumeMounts: null + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true hostAliases: - hostnames: - kcp.dev.local @@ -375,7 +384,11 @@ operator match the snapshot: type: RuntimeDefault serviceAccountName: account-operator terminationGracePeriodSeconds: 10 - volumes: null + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -383,6 +396,66 @@ operator match the snapshot: kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator-mutating-webhook-configuration + webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: account-operator-webhook + namespace: NAMESPACE + path: /mutate-core-openmfp-io-v1alpha1-account + failurePolicy: Fail + name: maccount.kb.io + rules: + - apiGroups: + - core.openmfp.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - accounts + sideEffects: None + 7: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 8: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 9: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot (with kubeconfigSecret): 1: | apiVersion: apiextensions.k8s.io/v1 @@ -663,6 +736,8 @@ operator match the snapshot (with kubeconfigSecret): apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -671,7 +746,8 @@ operator match the snapshot (with kubeconfigSecret): service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -681,7 +757,7 @@ operator match the snapshot (with kubeconfigSecret): - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -689,7 +765,7 @@ operator match the snapshot (with kubeconfigSecret): - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -707,7 +783,7 @@ operator match the snapshot (with kubeconfigSecret): - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs - name: KUBECONFIG @@ -727,6 +803,9 @@ operator match the snapshot (with kubeconfigSecret): - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -754,6 +833,9 @@ operator match the snapshot (with kubeconfigSecret): volumeMounts: - mountPath: /api-kubeconfig name: external-api-server + - mountPath: /certs + name: cert + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -764,6 +846,10 @@ operator match the snapshot (with kubeconfigSecret): - name: external-api-server secret: secretName: kubeconfig + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -771,6 +857,66 @@ operator match the snapshot (with kubeconfigSecret): kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator-mutating-webhook-configuration + webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: account-operator-webhook + namespace: NAMESPACE + path: /mutate-core-openmfp-io-v1alpha1-account + failurePolicy: Fail + name: maccount.kb.io + rules: + - apiGroups: + - core.openmfp.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - accounts + sideEffects: None + 7: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 8: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 9: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot with webhook enabled: 1: | apiVersion: apiextensions.k8s.io/v1 @@ -1072,7 +1218,7 @@ operator match the snapshot with webhook enabled: - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -1080,7 +1226,7 @@ operator match the snapshot with webhook enabled: - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE