From aee8f5103db8a16a0ee4e2c9974d949a0b76ef1d Mon Sep 17 00:00:00 2001 From: Angel Kafazov Date: Wed, 22 Jan 2025 15:45:14 +0200 Subject: [PATCH 1/3] chore: update account-operator chart version to 0.5.61 and enable webhooks On-behalf-of: @SAP angel.kafazov@sap.com Signed-off-by: Angel Kafazov --- charts/account-operator/Chart.yaml | 2 +- charts/account-operator/values.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/account-operator/Chart.yaml b/charts/account-operator/Chart.yaml index deaf1d86b..58dd1835a 100644 --- a/charts/account-operator/Chart.yaml +++ b/charts/account-operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: account-operator description: A Helm chart to deploy OpenMFP Account-Operator type: application -version: 0.5.60 +version: 0.5.61 appVersion: "0.148.0" dependencies: - name: account-operator-crds diff --git a/charts/account-operator/values.yaml b/charts/account-operator/values.yaml index 86ba12136..ca2b9e77c 100644 --- a/charts/account-operator/values.yaml +++ b/charts/account-operator/values.yaml @@ -10,7 +10,7 @@ crds: webhooks: # -- Enable webhooks - enabled: false + enabled: true # -- The directory for webhook certificates certDir: /certs @@ -29,7 +29,7 @@ subroutines: # -- Enable FGA subroutines enabled: true # -- The gRPC address for FGA - grpcAddr: "" + grpcAddr: openmfp-openfga:8081 # -- The root namespace for FGA rootNamespace: openmfp-root # -- The object type for FGA @@ -48,7 +48,7 @@ subroutines: # -- The secret for kubeconfig kubeconfigSecret: "" # -- The log level -logLevel: warn +logLevel: debug security: # -- Mount the service account token From 155d12091e34208bdda00a0dbbfa578fabe6133b Mon Sep 17 00:00:00 2001 From: Angel Kafazov Date: Wed, 22 Jan 2025 15:48:09 +0200 Subject: [PATCH 2/3] update snapshot On-behalf-of: @SAP angel.kafazov@sap.com Signed-off-by: Angel Kafazov --- .../__snapshot__/deployment_test.yaml.snap | 170 ++++++++++++++++-- 1 file changed, 158 insertions(+), 12 deletions(-) diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap index 9fd7469e4..db47f55aa 100644 --- a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -278,6 +278,8 @@ operator match the snapshot: apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -286,7 +288,8 @@ operator match the snapshot: service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -296,7 +299,7 @@ operator match the snapshot: - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -304,7 +307,7 @@ operator match the snapshot: - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -322,7 +325,7 @@ operator match the snapshot: - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs image: ghcr.io/openmfp/account-operator:0.0.0 @@ -340,6 +343,9 @@ operator match the snapshot: - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -364,7 +370,10 @@ operator match the snapshot: path: /readyz port: 8081 periodSeconds: 10 - volumeMounts: null + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true hostAliases: - hostnames: - kcp.dev.local @@ -375,7 +384,11 @@ operator match the snapshot: type: RuntimeDefault serviceAccountName: account-operator terminationGracePeriodSeconds: 10 - volumes: null + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -383,6 +396,66 @@ operator match the snapshot: kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator-mutating-webhook-configuration + webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: account-operator-webhook + namespace: NAMESPACE + path: /mutate-core-openmfp-io-v1alpha1-account + failurePolicy: Fail + name: maccount.kb.io + rules: + - apiGroups: + - core.openmfp.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - accounts + sideEffects: None + 7: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 8: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 9: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot (with kubeconfigSecret): 1: | apiVersion: apiextensions.k8s.io/v1 @@ -663,6 +736,8 @@ operator match the snapshot (with kubeconfigSecret): apiVersion: apps/v1 kind: Deployment metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert name: account-operator spec: revisionHistoryLimit: 3 @@ -671,7 +746,8 @@ operator match the snapshot (with kubeconfigSecret): service: account-operator template: metadata: - annotations: null + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager service: account-operator @@ -681,7 +757,7 @@ operator match the snapshot (with kubeconfigSecret): - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -689,7 +765,7 @@ operator match the snapshot (with kubeconfigSecret): - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE @@ -707,7 +783,7 @@ operator match the snapshot (with kubeconfigSecret): - name: KCP_VIRTUAL_WORKSPACE_URL value: "" - name: WEBHOOKS_ENABLED - value: "false" + value: "true" - name: WEBHOOKS_CERT_DIR value: /certs - name: KUBECONFIG @@ -727,6 +803,9 @@ operator match the snapshot (with kubeconfigSecret): - containerPort: 8081 name: health-port protocol: TCP + - containerPort: 9443 + name: webhook-port + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -754,6 +833,9 @@ operator match the snapshot (with kubeconfigSecret): volumeMounts: - mountPath: /api-kubeconfig name: external-api-server + - mountPath: /certs + name: cert + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -764,6 +846,10 @@ operator match the snapshot (with kubeconfigSecret): - name: external-api-server secret: secretName: kubeconfig + - name: cert + secret: + defaultMode: 420 + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: @@ -771,6 +857,66 @@ operator match the snapshot (with kubeconfigSecret): kind: ServiceAccount metadata: name: account-operator + 6: | + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + metadata: + annotations: + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator-mutating-webhook-configuration + webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: account-operator-webhook + namespace: NAMESPACE + path: /mutate-core-openmfp-io-v1alpha1-account + failurePolicy: Fail + name: maccount.kb.io + rules: + - apiGroups: + - core.openmfp.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - accounts + sideEffects: None + 7: | + apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: account-operator-selfsigned-issuer + spec: + selfSigned: {} + 8: | + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: account-operator-serving-cert + spec: + dnsNames: + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert + 9: | + apiVersion: v1 + kind: Service + metadata: + name: account-operator-webhook + spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + service: account-operator operator match the snapshot with webhook enabled: 1: | apiVersion: apiextensions.k8s.io/v1 @@ -1072,7 +1218,7 @@ operator match the snapshot with webhook enabled: - args: - operator - --leader-elect - - --log-level=warn + - --log-level=debug - --health-probe-bind-address=:8081 env: - name: SUBROUTINES_NAMESPACE_ENABLED @@ -1080,7 +1226,7 @@ operator match the snapshot with webhook enabled: - name: SUBROUTINES_FGA_ENABLED value: "true" - name: SUBROUTINES_FGA_GRPC_ADDR - value: "" + value: openmfp-openfga:8081 - name: SUBROUTINES_FGA_ROOT_NAMESPACE value: openmfp-root - name: SUBROUTINES_FGA_OBJECT_TYPE From 0a4387582280c31456687181b1df726043278a81 Mon Sep 17 00:00:00 2001 From: Angel Kafazov Date: Wed, 22 Jan 2025 15:49:23 +0200 Subject: [PATCH 3/3] update docs On-behalf-of: @SAP angel.kafazov@sap.com Signed-off-by: Angel Kafazov --- charts/account-operator/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/account-operator/README.md b/charts/account-operator/README.md index ce3da22b7..472fdb064 100644 --- a/charts/account-operator/README.md +++ b/charts/account-operator/README.md @@ -23,19 +23,19 @@ A Helm chart to deploy OpenMFP Account-Operator | kcp.enabled | bool | `false` | Enable KCP | | kcp.virtualWorkspaceUrl | string | `""` | The URL for the virtual workspace | | kubeconfigSecret | string | `""` | The secret for kubeconfig | -| logLevel | string | `"warn"` | The log level | +| logLevel | string | `"debug"` | The log level | | security.mountServiceAccountToken | bool | `true` | Mount the service account token | | subroutines.extension.enabled | bool | `true` | Enable extension subroutines | | subroutines.extensionReady.enabled | bool | `true` | Enable extension ready subroutines | | subroutines.fga.creatorRelation | string | `"owner"` | The creator relation for FGA | | subroutines.fga.enabled | bool | `true` | Enable FGA subroutines | -| subroutines.fga.grpcAddr | string | `""` | The gRPC address for FGA | +| subroutines.fga.grpcAddr | string | `"openmfp-openfga:8081"` | The gRPC address for FGA | | subroutines.fga.objectType | string | `"account"` | The object type for FGA | | subroutines.fga.parentRelation | string | `"parent"` | The parent relation for FGA | | subroutines.fga.rootNamespace | string | `"openmfp-root"` | The root namespace for FGA | | subroutines.namespace.enabled | bool | `true` | Enable namespace subroutines | | webhooks.certDir | string | `"/certs"` | The directory for webhook certificates | -| webhooks.enabled | bool | `false` | Enable webhooks | +| webhooks.enabled | bool | `true` | Enable webhooks | ## Overriding Values