change defaults for account-operator

On-behalf-of: @SAP angel.kafazov@sap.com
Signed-off-by: Angel Kafazov <akafazov@cst-bg.net>

.gitignore

@@ -4,4 +4,5 @@
 .secret
 bin/
 node_modules/
-/oci/
+/oci/
+local-setup/e2e/test-results/.last-run.json

charts/account-operator/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 0.1.11
 - name: common
   repository: oci://ghcr.io/openmfp/helm-charts
-  version: 0.2.8
-digest: sha256:bce71370622dfe032df80c951a770dccb6deaf3a5ae075335910f754bd4fccc8
-generated: "2025-02-10T18:48:32.141404162Z"
+  version: 0.2.9
+digest: sha256:ce62f3509009553615bfcd1f7865fe5493780567e7f592e14449f44a2ba84c5f
+generated: "2025-02-12T15:44:18.230046291+02:00"

charts/account-operator/Chart.yaml

@@ -2,13 +2,13 @@ apiVersion: v2
 name: account-operator
 description: A Helm chart to deploy OpenMFP Account-Operator
 type: application
-version: 0.5.69
+version: 0.6.0
 appVersion: "0.156.0"
 dependencies:
   - name: account-operator-crds
     version: 0.1.11
     condition: crds.enabled
     repository: oci://ghcr.io/openmfp/helm-charts
   - name: common
-    version: 0.2.8
+    version: 0.2.9
     repository: oci://ghcr.io/openmfp/helm-charts

charts/account-operator/README.md

@@ -23,19 +23,19 @@ A Helm chart to deploy OpenMFP Account-Operator
 | kcp.enabled | bool | `false` | Enable KCP |
 | kcp.virtualWorkspaceUrl | string | `""` | The URL for the virtual workspace |
 | kubeconfigSecret | string | `""` | The secret for kubeconfig |
-| logLevel | string | `"warn"` | The log level |
+| logLevel | string | `"debug"` | The log level |
 | security.mountServiceAccountToken | bool | `true` | Mount the service account token |
 | subroutines.extension.enabled | bool | `true` | Enable extension subroutines |
 | subroutines.extensionReady.enabled | bool | `true` | Enable extension ready subroutines |
 | subroutines.fga.creatorRelation | string | `"owner"` | The creator relation for FGA |
 | subroutines.fga.enabled | bool | `true` | Enable FGA subroutines |
-| subroutines.fga.grpcAddr | string | `""` | The gRPC address for FGA |
+| subroutines.fga.grpcAddr | string | `"openmfp-openfga:8081"` | The gRPC address for FGA |
 | subroutines.fga.objectType | string | `"account"` | The object type for FGA |
 | subroutines.fga.parentRelation | string | `"parent"` | The parent relation for FGA |
 | subroutines.fga.rootNamespace | string | `"openmfp-root"` | The root namespace for FGA |
 | subroutines.namespace.enabled | bool | `true` | Enable namespace subroutines |
 | webhooks.certDir | string | `"/certs"` | The directory for webhook certificates |
-| webhooks.enabled | bool | `false` | Enable webhooks |
+| webhooks.enabled | bool | `true` | Enable webhooks |
 
 ## Overriding Values
 

charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap

@@ -278,6 +278,8 @@ operator match the snapshot:
     apiVersion: apps/v1
     kind: Deployment
     metadata:
+      annotations:
+        cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert
       name: account-operator
     spec:
       revisionHistoryLimit: 3
@@ -286,7 +288,8 @@ operator match the snapshot:
           service: account-operator
       template:
         metadata:
-          annotations: null
+          annotations:
+            traffic.sidecar.istio.io/excludeInboundPorts: "9443"
           labels:
             control-plane: controller-manager
             service: account-operator
@@ -296,15 +299,15 @@ operator match the snapshot:
             - args:
                 - operator
                 - --leader-elect
-                - --log-level=warn
+                - --log-level=debug
                 - --health-probe-bind-address=:8081
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
                 - name: SUBROUTINES_FGA_ENABLED
                   value: "true"
                 - name: SUBROUTINES_FGA_GRPC_ADDR
-                  value: ""
+                  value: openmfp-openfga:8081
                 - name: SUBROUTINES_FGA_ROOT_NAMESPACE
                   value: openmfp-root
                 - name: SUBROUTINES_FGA_OBJECT_TYPE
@@ -322,7 +325,7 @@ operator match the snapshot:
                 - name: KCP_VIRTUAL_WORKSPACE_URL
                   value: ""
                 - name: WEBHOOKS_ENABLED
-                  value: "false"
+                  value: "true"
                 - name: WEBHOOKS_CERT_DIR
                   value: /certs
               image: ghcr.io/openmfp/account-operator:0.0.0
@@ -340,6 +343,9 @@ operator match the snapshot:
                 - containerPort: 8081
                   name: health-port
                   protocol: TCP
+                - containerPort: 9443
+                  name: webhook-port
+                  protocol: TCP
               readinessProbe:
                 httpGet:
                   path: /readyz
@@ -364,7 +370,10 @@ operator match the snapshot:
                   path: /readyz
                   port: 8081
                 periodSeconds: 10
-              volumeMounts: null
+              volumeMounts:
+                - mountPath: /certs
+                  name: cert
+                  readOnly: true
           hostAliases:
             - hostnames:
                 - kcp.dev.local
@@ -375,14 +384,78 @@ operator match the snapshot:
               type: RuntimeDefault
           serviceAccountName: account-operator
           terminationGracePeriodSeconds: 10
-          volumes: null
+          volumes:
+            - name: cert
+              secret:
+                defaultMode: 420
+                secretName: account-operator-webhook-server-cert
   5: |
     apiVersion: v1
     imagePullSecrets:
       - name: github
     kind: ServiceAccount
     metadata:
       name: account-operator
+  6: |
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: MutatingWebhookConfiguration
+    metadata:
+      annotations:
+        cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert
+      name: account-operator-mutating-webhook-configuration
+    webhooks:
+      - admissionReviewVersions:
+          - v1
+        clientConfig:
+          service:
+            name: account-operator-webhook
+            namespace: NAMESPACE
+            path: /mutate-core-openmfp-io-v1alpha1-account
+        failurePolicy: Fail
+        name: maccount.kb.io
+        rules:
+          - apiGroups:
+              - core.openmfp.io
+            apiVersions:
+              - v1alpha1
+            operations:
+              - CREATE
+            resources:
+              - accounts
+        sideEffects: None
+  7: |
+    apiVersion: cert-manager.io/v1
+    kind: Issuer
+    metadata:
+      name: account-operator-selfsigned-issuer
+    spec:
+      selfSigned: {}
+  8: |
+    apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: account-operator-serving-cert
+    spec:
+      dnsNames:
+        - account-operator-webhook.NAMESPACE.svc
+        - account-operator-webhook.NAMESPACE.svc.cluster.local
+      issuerRef:
+        kind: Issuer
+        name: account-operator-selfsigned-issuer
+      secretName: account-operator-webhook-server-cert
+  9: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: account-operator-webhook
+    spec:
+      ports:
+        - port: 443
+          protocol: TCP
+          targetPort: 9443
+      selector:
+        control-plane: controller-manager
+        service: account-operator
 operator match the snapshot (with kubeconfigSecret):
   1: |
     apiVersion: apiextensions.k8s.io/v1
@@ -663,6 +736,8 @@ operator match the snapshot (with kubeconfigSecret):
     apiVersion: apps/v1
     kind: Deployment
     metadata:
+      annotations:
+        cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert
       name: account-operator
     spec:
       revisionHistoryLimit: 3
@@ -671,7 +746,8 @@ operator match the snapshot (with kubeconfigSecret):
           service: account-operator
       template:
         metadata:
-          annotations: null
+          annotations:
+            traffic.sidecar.istio.io/excludeInboundPorts: "9443"
           labels:
             control-plane: controller-manager
             service: account-operator
@@ -681,15 +757,15 @@ operator match the snapshot (with kubeconfigSecret):
             - args:
                 - operator
                 - --leader-elect
-                - --log-level=warn
+                - --log-level=debug
                 - --health-probe-bind-address=:8081
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
                 - name: SUBROUTINES_FGA_ENABLED
                   value: "true"
                 - name: SUBROUTINES_FGA_GRPC_ADDR
-                  value: ""
+                  value: openmfp-openfga:8081
                 - name: SUBROUTINES_FGA_ROOT_NAMESPACE
                   value: openmfp-root
                 - name: SUBROUTINES_FGA_OBJECT_TYPE
@@ -707,7 +783,7 @@ operator match the snapshot (with kubeconfigSecret):
                 - name: KCP_VIRTUAL_WORKSPACE_URL
                   value: ""
                 - name: WEBHOOKS_ENABLED
-                  value: "false"
+                  value: "true"
                 - name: WEBHOOKS_CERT_DIR
                   value: /certs
                 - name: KUBECONFIG
@@ -727,6 +803,9 @@ operator match the snapshot (with kubeconfigSecret):
                 - containerPort: 8081
                   name: health-port
                   protocol: TCP
+                - containerPort: 9443
+                  name: webhook-port
+                  protocol: TCP
               readinessProbe:
                 httpGet:
                   path: /readyz
@@ -754,6 +833,9 @@ operator match the snapshot (with kubeconfigSecret):
               volumeMounts:
                 - mountPath: /api-kubeconfig
                   name: external-api-server
+                - mountPath: /certs
+                  name: cert
+                  readOnly: true
           securityContext:
             runAsNonRoot: true
             seccompProfile:
@@ -764,13 +846,77 @@ operator match the snapshot (with kubeconfigSecret):
             - name: external-api-server
               secret:
                 secretName: kubeconfig
+            - name: cert
+              secret:
+                defaultMode: 420
+                secretName: account-operator-webhook-server-cert
   5: |
     apiVersion: v1
     imagePullSecrets:
       - name: github
     kind: ServiceAccount
     metadata:
       name: account-operator
+  6: |
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: MutatingWebhookConfiguration
+    metadata:
+      annotations:
+        cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert
+      name: account-operator-mutating-webhook-configuration
+    webhooks:
+      - admissionReviewVersions:
+          - v1
+        clientConfig:
+          service:
+            name: account-operator-webhook
+            namespace: NAMESPACE
+            path: /mutate-core-openmfp-io-v1alpha1-account
+        failurePolicy: Fail
+        name: maccount.kb.io
+        rules:
+          - apiGroups:
+              - core.openmfp.io
+            apiVersions:
+              - v1alpha1
+            operations:
+              - CREATE
+            resources:
+              - accounts
+        sideEffects: None
+  7: |
+    apiVersion: cert-manager.io/v1
+    kind: Issuer
+    metadata:
+      name: account-operator-selfsigned-issuer
+    spec:
+      selfSigned: {}
+  8: |
+    apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: account-operator-serving-cert
+    spec:
+      dnsNames:
+        - account-operator-webhook.NAMESPACE.svc
+        - account-operator-webhook.NAMESPACE.svc.cluster.local
+      issuerRef:
+        kind: Issuer
+        name: account-operator-selfsigned-issuer
+      secretName: account-operator-webhook-server-cert
+  9: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: account-operator-webhook
+    spec:
+      ports:
+        - port: 443
+          protocol: TCP
+          targetPort: 9443
+      selector:
+        control-plane: controller-manager
+        service: account-operator
 operator match the snapshot with webhook enabled:
   1: |
     apiVersion: apiextensions.k8s.io/v1
@@ -1072,15 +1218,15 @@ operator match the snapshot with webhook enabled:
             - args:
                 - operator
                 - --leader-elect
-                - --log-level=warn
+                - --log-level=debug
                 - --health-probe-bind-address=:8081
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
                 - name: SUBROUTINES_FGA_ENABLED
                   value: "true"
                 - name: SUBROUTINES_FGA_GRPC_ADDR
-                  value: ""
+                  value: openmfp-openfga:8081
                 - name: SUBROUTINES_FGA_ROOT_NAMESPACE
                   value: openmfp-root
                 - name: SUBROUTINES_FGA_OBJECT_TYPE

charts/account-operator/values.yaml

@@ -10,7 +10,7 @@ crds:
 
 webhooks:
   # -- Enable webhooks
-  enabled: false
+  enabled: true
   # -- The directory for webhook certificates
   certDir: /certs
 
@@ -29,7 +29,7 @@ subroutines:
     # -- Enable FGA subroutines
     enabled: true
     # -- The gRPC address for FGA
-    grpcAddr: ""
+    grpcAddr: openmfp-openfga:8081
     # -- The root namespace for FGA
     rootNamespace: openmfp-root
     # -- The object type for FGA
@@ -48,7 +48,7 @@ subroutines:
 # -- The secret for kubeconfig
 kubeconfigSecret: ""
 # -- The log level
-logLevel: warn
+logLevel: debug
 
 security:
   # -- Mount the service account token