diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap index 9fd7469e4..db47f55aa 100644 --- a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -278,6 +278,8 @@ operator match the snapshot: apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -286,7 +288,8 @@ operator match the snapshot: service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -296,7 +299,7 @@ operator match the snapshot: - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -304,7 +307,7 @@ operator match the snapshot: - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -322,7 +325,7 @@ operator match the snapshot: - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs image: ghcr.io/openmfp/account-operator:0.0.0 @@ -340,6 +343,9 @@ operator match the snapshot: - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -364,7 +370,10 @@ operator match the snapshot: path: /readyz port: 8081 periodSeconds: 10 - volumeMounts: null + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true hostAliases: - hostnames: - kcp.dev.local @@ -375,7 +384,11 @@ operator match the snapshot: type: RuntimeDefault serviceAccountName: account-operator terminationGracePeriodSeconds: 10 - volumes: null + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -383,6 +396,66 @@ operator match the snapshot: kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator-mutating-webhook-configuration + webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: account-operator-webhook + namespace: NAMESPACE + path: /mutate-core-openmfp-io-v1alpha1-account + failurePolicy: Fail + name: maccount.kb.io + rules: + - apiGroups: + - core.openmfp.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - accounts + sideEffects: None + 7: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 8: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 9: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot (with kubeconfigSecret): 1: | apiVersion: apiextensions.k8s.io/v1 @@ -663,6 +736,8 @@ operator match the snapshot (with kubeconfigSecret): apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -671,7 +746,8 @@ operator match the snapshot (with kubeconfigSecret): service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -681,7 +757,7 @@ operator match the snapshot (with kubeconfigSecret): - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -689,7 +765,7 @@ operator match the snapshot (with kubeconfigSecret): - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -707,7 +783,7 @@ operator match the snapshot (with kubeconfigSecret): - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs - name: KUBECONFIG @@ -727,6 +803,9 @@ operator match the snapshot (with kubeconfigSecret): - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -754,6 +833,9 @@ operator match the snapshot (with kubeconfigSecret): volumeMounts: - mountPath: /api-kubeconfig name: external-api-server + - mountPath: /certs + name: cert + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -764,6 +846,10 @@ operator match the snapshot (with kubeconfigSecret): - name: external-api-server secret: secretName: kubeconfig + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -771,6 +857,66 @@ operator match the snapshot (with kubeconfigSecret): kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator-mutating-webhook-configuration + webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: account-operator-webhook + namespace: NAMESPACE + path: /mutate-core-openmfp-io-v1alpha1-account + failurePolicy: Fail + name: maccount.kb.io + rules: + - apiGroups: + - core.openmfp.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - accounts + sideEffects: None + 7: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 8: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 9: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot with webhook enabled: 1: | apiVersion: apiextensions.k8s.io/v1 @@ -1072,7 +1218,7 @@ operator match the snapshot with webhook enabled: - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -1080,7 +1226,7 @@ operator match the snapshot with webhook enabled: - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE diff --git a/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap index 2715a6bda..f477cabb1 100644 --- a/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -123,6 +123,42 @@ operator match the snapshot: path: /readyz port: 8081 periodSeconds: 10 + - args: + - server + image: ghcr.io/openmfp/extension-manager-operator:1.0.0 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 1 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 + name: server + ports: + - containerPort: 8088 + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 securityContext: runAsNonRoot: true seccompProfile: diff --git a/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap b/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap index 0967ef424..bcf69b6b6 100644 --- a/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/infra/tests/__snapshot__/snapshot_test.yaml.snap @@ -1 +1,52 @@ -{} +matches the snapshot: + 1: | + apiVersion: core.openmfp.io/v1alpha1 + kind: Store + metadata: + name: test + namespace: test + spec: + coreModule: |2 + module core + + type user + + type account + relations + define owner: [user] + define member: [user] or owner + tuples: + - object: account:a + relation: owner + user: user:a + 2: | + apiVersion: networking.istio.io/v1 + kind: Gateway + metadata: + name: gateway + namespace: NAMESPACE + spec: + selector: + istio: gateway + servers: + - hosts: + - '*' + port: + name: http + number: 8080 + protocol: HTTP + 3: | + apiVersion: networking.istio.io/v1 + kind: ServiceEntry + metadata: + name: openmfp-https + namespace: NAMESPACE + spec: + hosts: + - example.com + location: MESH_EXTERNAL + ports: + - name: https + number: 443 + protocol: TLS + resolution: DNS diff --git a/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap b/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap index d2def5a6f..f65788f49 100644 --- a/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap +++ b/charts/keycloak/tests/__snapshot__/crossplane_test.yaml.snap @@ -41,57 +41,6 @@ matches the snapshot: providerConfigRef: name: keycloak-provider-config 3: | - apiVersion: external-secrets.io/v1beta1 - kind: ExternalSecret - metadata: - name: keycloak-sap - namespace: openmfp-system - spec: - data: - - remoteRef: - conversionStrategy: Default - key: dxp-core-team/manual-secrets/sap-client-secret - property: client-secret - secretKey: client-secret - refreshInterval: 10m - secretStoreRef: - kind: SecretStore - name: environment-store - target: - creationPolicy: Owner - deletionPolicy: Retain - name: sap-client-secret - 4: | - apiVersion: external-secrets.io/v1beta1 - kind: ExternalSecret - metadata: - name: keycloak-provider-config - namespace: openmfp-system - spec: - data: - - remoteRef: - conversionStrategy: Default - key: keycloak-admin - property: password - secretKey: password - refreshInterval: 10m - secretStoreRef: - kind: SecretStore - name: environment-store - target: - name: keycloak-provider-config - template: - data: - config: | - { - "client_id":"admin-cli", - "username": "keycloak-admin", - "password": "{{ .password }}", - "url": "http://openmfp-keycloak.openmfp-system.svc.cluster.local/keycloak", - "realm": "master" - } - engineVersion: v2 - 5: | apiVersion: defaults.keycloak.crossplane.io/v1alpha1 kind: DefaultGroups metadata: @@ -104,7 +53,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 6: | + 4: | apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Group metadata: @@ -116,7 +65,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 7: | + 5: | apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: ClientScope metadata: @@ -130,7 +79,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 8: | + 6: | apiVersion: openidgroup.keycloak.crossplane.io/v1alpha1 kind: GroupMembershipProtocolMapper metadata: @@ -145,7 +94,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 9: | + 7: | apiVersion: oidc.keycloak.crossplane.io/v1alpha1 kind: IdentityProvider metadata: @@ -168,7 +117,7 @@ matches the snapshot: trustEmail: true providerConfigRef: name: keycloak-provider-config - 10: | + 8: | apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1 kind: IdentityProviderMapper metadata: @@ -186,7 +135,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 11: | + 9: | apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1 kind: IdentityProviderMapper metadata: @@ -204,7 +153,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 12: | + 10: | apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: ClientScope metadata: @@ -217,7 +166,7 @@ matches the snapshot: name: openmfp providerConfigRef: name: keycloak-provider-config - 13: | + 11: | apiVersion: keycloak.crossplane.io/v1beta1 kind: ProviderConfig metadata: @@ -230,7 +179,22 @@ matches the snapshot: name: keycloak-provider-config namespace: openmfp-system source: Secret - 14: | + 12: | + apiVersion: v1 + kind: Secret + metadata: + name: keycloak-provider-config + namespace: openmfp-system + stringData: + config: |- + { + "client_id":"admin-cli", + "username": "keycloak-admin", + "password": "admin", + "url": "http://openmfp-keycloak.openmfp-system.svc.cluster.local/keycloak", + "realm": "master" + } + 13: | apiVersion: realm.keycloak.crossplane.io/v1alpha1 kind: Realm metadata: diff --git a/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz b/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz index d349c7749..9f89089e5 100644 Binary files a/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz and b/charts/openmfp/charts/extension-manager-operator-0.23.0.tgz differ diff --git a/charts/openmfp/charts/infra-0.61.0.tgz b/charts/openmfp/charts/infra-0.61.0.tgz index 73b3badc4..1392e914e 100644 Binary files a/charts/openmfp/charts/infra-0.61.0.tgz and b/charts/openmfp/charts/infra-0.61.0.tgz differ diff --git a/charts/openmfp/charts/keycloak-0.61.0.tgz b/charts/openmfp/charts/keycloak-0.61.0.tgz index 240a8a5a3..d3c2a9937 100644 Binary files a/charts/openmfp/charts/keycloak-0.61.0.tgz and b/charts/openmfp/charts/keycloak-0.61.0.tgz differ