diff --git a/.github/workflows/common.yaml b/.github/workflows/common.yaml index 0c6009415..b371d7f44 100644 --- a/.github/workflows/common.yaml +++ b/.github/workflows/common.yaml @@ -16,6 +16,7 @@ jobs: chartName: common additionalTestFilesCommand: '' chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts' + skipVulnerabilityScan: true secrets: inherit updateVersionFile: diff --git a/.github/workflows/extension-manager-operator-crds.yaml b/.github/workflows/extension-manager-operator-crds.yaml new file mode 100644 index 000000000..cd3a3c47b --- /dev/null +++ b/.github/workflows/extension-manager-operator-crds.yaml @@ -0,0 +1,28 @@ +name: Build extension-manager-operator-crds Workflow +on: + push: + paths: + - 'charts/extension-manager-operator-crds/**' + - '.github/workflows/extension-manager-operator-crds.yaml' + +jobs: + pipeline: + concurrency: + group: extension-manager-operator-crds-${{ github.ref }} + cancel-in-progress: true + uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main + with: + chartFolder: charts + chartName: extension-manager-operator-crds + additionalTestFilesCommand: '' + chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts' + secrets: inherit + + updateVersionFile: + if: ${{ github.ref == 'refs/heads/main' }} + needs: [pipeline] + uses: openmfp/gha/.github/workflows/job-update-version-file.yml@main + secrets: inherit + with: + componentVersionKey: "extension-manager-operator-crds" + version: ${{ needs.pipeline.outputs.version }} diff --git a/.github/workflows/extension-manager-operator.yaml b/.github/workflows/extension-manager-operator.yaml new file mode 100644 index 000000000..75c5e926b --- /dev/null +++ b/.github/workflows/extension-manager-operator.yaml @@ -0,0 +1,28 @@ +name: Build extension-manager-operator Workflow +on: + push: + paths: + - 'charts/extension-manager-operator/**' + - '.github/workflows/extension-manager-operator.yaml' + +jobs: + pipeline: + concurrency: + group: extension-manager-operator-${{ github.ref }} + cancel-in-progress: true + uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main + with: + chartFolder: charts + chartName: extension-manager-operator + additionalTestFilesCommand: '' + chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts' + secrets: inherit + + updateVersionFile: + if: ${{ github.ref == 'refs/heads/main' }} + needs: [pipeline] + uses: openmfp/gha/.github/workflows/job-update-version-file.yml@main + secrets: inherit + with: + componentVersionKey: "extension-manager-operator" + version: ${{ needs.pipeline.outputs.version }} diff --git a/.gitignore b/.gitignore index f392e285f..831d11709 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .idea .vscode/settings.json +bin/ diff --git a/.helmdocsignore b/.helmdocsignore new file mode 100644 index 000000000..eab41bb67 --- /dev/null +++ b/.helmdocsignore @@ -0,0 +1 @@ +charts/common/test-chart \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 000000000..1e36182c2 --- /dev/null +++ b/README.md @@ -0,0 +1,18 @@ +# helm-charts + +This repository contains public helm charts for the OpenMFP project. + +## Taskfile +It uses Taskfile and task command to local dev tooling. The following tasks are available: `lint, helmtest, test, update, validate, vulnerability, helm-docs`. + +## Updating charts +If a chart is changed, it could be dependency of other chart or its dependencies must be updated. To do it, run `task update`. + +## Helm-docs +Using https://github.com/norwoodj/helm-docs to generate charts documentation. Documentation can be updated by running `task helm-docs` command. + +## Github Actions +Each chart is automatically tested, packaged and published to github repository. Workflows are located in the [.github/workflows](.github/workflows) folder. + +## OWASP vulnerability scanning +Kube-linter and kube-score can be run locally with `task vulnerability`. PR changes are also scanned on github and found vulnerability are visible under the Security project section on Github. \ No newline at end of file diff --git a/Taskfile.yaml b/Taskfile.yaml index b805157fe..d6d8be93f 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -3,27 +3,56 @@ version: '3' vars: LOCAL_BIN: bin CHARTS: - sh: "ls charts/ | sed 's/^/charts\\//g' | paste -sd ',' -" + sh: "printf '%s,%s' $(ls -d charts/*/ | paste -sd ',' -) 'charts/common/test-chart'" + CHANGED_CHARTS: + sh: "git status --porcelain | grep '^ M charts/' | cut -d'/' -f2 | sort -u | sed 's|^|charts/|' | paste -sd ',' -" tasks: + ## Setup + setup:kube-lint: + internal: true + cmds: + - mkdir -p $(pwd)/{{.LOCAL_BIN}} + - test -s {{.LOCAL_BIN}}/kube-linter || GOBIN=$(pwd)/{{.LOCAL_BIN}} go install golang.stackrox.io/kube-linter/cmd/kube-linter@latest + - chmod +x $(pwd)/{{.LOCAL_BIN}}/kube-linter + setup:helm-docs: + internal: true + cmds: + - test -s {{.LOCAL_BIN}}/helm-docs || GOBIN=$(pwd)/{{.LOCAL_BIN}} go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest ## Development lint: deps: [] cmds: - "ct lint --target-branch main --validate-maintainers=false --charts={{.CHARTS}}" - package: - cmds: - - helm package ./charts/openmfp helmtest: cmds: - "for chart in $(echo {{.CHARTS}} | tr ',' ' '); do helm unittest $chart; done" test: deps: + - task: update - task: helmtest + update-changed: + deps: + - task: helm-docs + cmds: + - "for chart in $(echo {{.CHANGED_CHARTS}} | tr ',' ' '); do helm dependency update $chart; done" update: + deps: + - task: helm-docs cmds: - "for chart in $(echo {{.CHARTS}} | tr ',' ' '); do helm dependency update $chart; done" validate: cmds: - task: lint - - task: package - - task: test \ No newline at end of file + # - task: package + - task: test + - task: vulnerability + vulnerability: + deps: + - task: setup:kube-lint + cmds: + - "{{.LOCAL_BIN}}/kube-linter lint \"charts/\" --format \"plain\"" + helm-docs: + deps: + - task: setup:helm-docs + cmds: + - "{{.LOCAL_BIN}}/helm-docs --chart-search-root charts/ --template-files=README.md.gotmpl" \ No newline at end of file diff --git a/charts/_templates.gotmpl b/charts/_templates.gotmpl new file mode 100644 index 000000000..a01784f66 --- /dev/null +++ b/charts/_templates.gotmpl @@ -0,0 +1,18 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +## Configuration + +The chart supports the following configuration parameters in the table below. Additionally, default configuration parameters documented in [common/README.md](../common/README.md) are not explicitely listed in the table but are also supported. + +{{ template "chart.valuesHeader" . }} + +Default configuration parameters, which can be overriden either globally or on a chart level are documented in [common/README.md](../common/README.md). + +{{ template "chart.valuesTable" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/account-operator-crds/Chart.yaml b/charts/account-operator-crds/Chart.yaml index 2e6f69809..f28f61693 100644 --- a/charts/account-operator-crds/Chart.yaml +++ b/charts/account-operator-crds/Chart.yaml @@ -4,6 +4,6 @@ description: A Helm chart for Kubernetes type: application -version: 0.1.5 +version: 0.1.6 appVersion: "1.16.0" diff --git a/charts/account-operator-crds/README.md b/charts/account-operator-crds/README.md new file mode 100644 index 000000000..50a5c1f6d --- /dev/null +++ b/charts/account-operator-crds/README.md @@ -0,0 +1,12 @@ +# account-operator-crds + +![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| kcp.enabled | bool | `false` | Enable KCP | + diff --git a/charts/account-operator-crds/values.yaml b/charts/account-operator-crds/values.yaml index f569f4f46..1125312a8 100644 --- a/charts/account-operator-crds/values.yaml +++ b/charts/account-operator-crds/values.yaml @@ -1,2 +1,3 @@ kcp: + # -- Enable KCP enabled: false diff --git a/charts/account-operator/Chart.lock b/charts/account-operator/Chart.lock index 52685bc63..4ba972e60 100644 --- a/charts/account-operator/Chart.lock +++ b/charts/account-operator/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: account-operator-crds repository: file://../account-operator-crds - version: 0.1.5 + version: 0.1.6 - name: common repository: file://../common - version: 0.1.4 -digest: sha256:9d2466bb6f196f2355a55ff621f6017cee086f9600280b009e55249ab6a6335f -generated: "2024-11-21T17:36:43.666194+01:00" + version: 0.1.5 +digest: sha256:5dcb2935c71c2e917170ef3b54c5ea586ab30269a5ec960353bfcbb362c073e1 +generated: "2024-11-27T20:12:23.434477831+02:00" diff --git a/charts/account-operator/Chart.yaml b/charts/account-operator/Chart.yaml index 494972af3..9dfc6f517 100644 --- a/charts/account-operator/Chart.yaml +++ b/charts/account-operator/Chart.yaml @@ -2,13 +2,13 @@ apiVersion: v2 name: account-operator description: A Helm chart for Kubernetes type: application -version: 0.4.20 +version: 0.4.21 appVersion: "0.108.0" dependencies: - name: account-operator-crds - version: 0.1.5 + version: 0.1.6 condition: crds.enabled repository: file://../account-operator-crds - name: common - version: 0.1.4 + version: 0.1.5 repository: file://../common diff --git a/charts/account-operator/README.md b/charts/account-operator/README.md new file mode 100644 index 000000000..a749e6901 --- /dev/null +++ b/charts/account-operator/README.md @@ -0,0 +1,40 @@ +# account-operator + +![Version: 0.4.21](https://img.shields.io/badge/Version-0.4.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.108.0](https://img.shields.io/badge/AppVersion-0.108.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../account-operator-crds | account-operator-crds | 0.1.6 | +| file://../common | common | 0.1.5 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| crds.enabled | bool | `true` | Enable CRDs | +| deployment.specTemplate.annotations | object | `{}` | The annotations for the deployment | +| deployment.specTemplate.labels | object | `{}` | The labels for the deployment | +| image.name | string | `"ghcr.io/openmfp/account-operator"` | The image repository | +| image.tag | string | `"latest"` | The image tag | +| kcp | object | `{"enabled":false,"virtualWorkspaceUrl":""}` | The KCP configuration | +| kcp.enabled | bool | `false` | Enable KCP | +| kcp.virtualWorkspaceUrl | string | `""` | The URL for the virtual workspace | +| kubeconfigSecret | string | `""` | The secret for kubeconfig | +| logLevel | string | `"warn"` | The log level | +| security.mountServiceAccountToken | bool | `false` | Mount the service account token | +| subroutines.extension.enabled | bool | `true` | Enable extension subroutines | +| subroutines.extensionReady.enabled | bool | `true` | Enable extension ready subroutines | +| subroutines.fga.creatorRelation | string | `"owner"` | The creator relation for FGA | +| subroutines.fga.enabled | bool | `true` | Enable FGA subroutines | +| subroutines.fga.grpcAddr | string | `""` | The gRPC address for FGA | +| subroutines.fga.objectType | string | `"account"` | The object type for FGA | +| subroutines.fga.parentRelation | string | `"parent"` | The parent relation for FGA | +| subroutines.fga.rootNamespace | string | `"openmfp-root"` | The root namespace for FGA | +| subroutines.namespace.enabled | bool | `true` | Enable namespace subroutines | +| webhooks.certDir | string | `"/certs"` | The directory for webhook certificates | +| webhooks.enabled | bool | `false` | Enable webhooks | + diff --git a/charts/account-operator/charts/account-operator-crds-0.1.5.tgz b/charts/account-operator/charts/account-operator-crds-0.1.5.tgz deleted file mode 100644 index b245dcd30..000000000 Binary files a/charts/account-operator/charts/account-operator-crds-0.1.5.tgz and /dev/null differ diff --git a/charts/account-operator/charts/account-operator-crds-0.1.6.tgz b/charts/account-operator/charts/account-operator-crds-0.1.6.tgz new file mode 100644 index 000000000..d7dbe12e9 Binary files /dev/null and b/charts/account-operator/charts/account-operator-crds-0.1.6.tgz differ diff --git a/charts/account-operator/charts/common-0.1.4.tgz b/charts/account-operator/charts/common-0.1.4.tgz deleted file mode 100644 index a395f60bb..000000000 Binary files a/charts/account-operator/charts/common-0.1.4.tgz and /dev/null differ diff --git a/charts/account-operator/charts/common-0.1.5.tgz b/charts/account-operator/charts/common-0.1.5.tgz new file mode 100644 index 000000000..17b38ee60 Binary files /dev/null and b/charts/account-operator/charts/common-0.1.5.tgz differ diff --git a/charts/account-operator/templates/deployment.yaml b/charts/account-operator/templates/deployment.yaml index 5dbe63a07..c76056e92 100644 --- a/charts/account-operator/templates/deployment.yaml +++ b/charts/account-operator/templates/deployment.yaml @@ -2,13 +2,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} {{- if .Values.webhooks.enabled }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "common.entity.name" . }}-serving-cert {{- end }} spec: - revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + revisionHistoryLimit: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.revisionHistoryLimit") }} selector: matchLabels: service: {{ include "common.entity.name" . }} @@ -34,42 +33,19 @@ spec: - operator - --leader-elect - --log-level={{ .Values.logLevel }} - - "--health-probe-bind-address=:{{ .Values.health.port }}" + - '--health-probe-bind-address=:{{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }}' image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} name: manager - securityContext: - runAsNonRoot: true + {{ include "common.container.securityContext" . | nindent 10 }} ports: - - containerPort: {{ .Values.metrics.port }} - name: metrics - protocol: TCP - - name: health-port - containerPort: {{ .Values.health.port }} - protocol: TCP + {{ include "common.PortsMetricsHealth" . | nindent 10 }} {{- if .Values.webhooks.enabled }} - name: webhook-port containerPort: 9443 protocol: TCP {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.health.port}} - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: {{ .Values.health.port}} - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: {{ .Values.deployment.resources.limits.cpu }} - memory: {{ .Values.deployment.resources.limits.memory }} - requests: - cpu: {{ .Values.deployment.resources.requests.cpu }} - memory: {{ .Values.deployment.resources.requests.memory }} + {{ include "common.operatorHealthAndReadyness" . | nindent 10 }} + {{ include "common.resources" . | nindent 10 }} env: - name: SUBROUTINES_NAMESPACE_ENABLED value: "{{ .Values.subroutines.namespace.enabled }}" diff --git a/charts/account-operator/templates/service-account.yaml b/charts/account-operator/templates/service-account.yaml index 2eaf7c467..490c917a9 100644 --- a/charts/account-operator/templates/service-account.yaml +++ b/charts/account-operator/templates/service-account.yaml @@ -2,5 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} {{- include "common.imagePullSecret" . }} diff --git a/charts/account-operator/templates/webhook/pki.yaml b/charts/account-operator/templates/webhook/pki.yaml index a0375a863..9e4d73ff3 100644 --- a/charts/account-operator/templates/webhook/pki.yaml +++ b/charts/account-operator/templates/webhook/pki.yaml @@ -3,7 +3,6 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "common.entity.name" . }}-selfsigned-issuer - namespace: {{ .Release.namespace }} spec: selfSigned: {} --- @@ -11,7 +10,6 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "common.entity.name" . }}-serving-cert - namespace: {{ .Release.namespace }} spec: dnsNames: - {{ include "common.entity.name" . }}-webhook.{{ .Release.Namespace }}.svc diff --git a/charts/account-operator/templates/webhook/service.yaml b/charts/account-operator/templates/webhook/service.yaml index 7c8eb409f..c42d42a78 100644 --- a/charts/account-operator/templates/webhook/service.yaml +++ b/charts/account-operator/templates/webhook/service.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "common.entity.name" . }}-webhook - namespace: {{ .Release.Namespace }} spec: ports: - port: 443 diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap index 74b97e52d..f3c889aba 100644 --- a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -209,7 +209,7 @@ operator match the snapshot: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: RELEASE-NAME-account-operator + name: account-operator rules: - apiGroups: - core.openmfp.io @@ -265,32 +265,31 @@ operator match the snapshot: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: RELEASE-NAME-account-operator + name: account-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: RELEASE-NAME-account-operator + name: account-operator subjects: - kind: ServiceAccount - name: RELEASE-NAME-account-operator + name: account-operator namespace: NAMESPACE 4: | apiVersion: apps/v1 kind: Deployment metadata: - name: RELEASE-NAME-account-operator - namespace: NAMESPACE + name: account-operator spec: revisionHistoryLimit: 3 selector: matchLabels: - service: RELEASE-NAME-account-operator + service: account-operator template: metadata: annotations: null labels: control-plane: controller-manager - service: RELEASE-NAME-account-operator + service: account-operator spec: containers: - args: @@ -298,6 +297,7 @@ operator match the snapshot: - --leader-elect - --log-level=warn - --health-probe-bind-address=:8081 + automountServiceAccountToken: false env: - name: SUBROUTINES_NAMESPACE_ENABLED value: "true" @@ -327,11 +327,11 @@ operator match the snapshot: value: /certs image: ghcr.io/openmfp/account-operator:0.0.0 livenessProbe: + failureThreshold: 1 httpGet: path: /healthz port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 + periodSeconds: 10 name: manager ports: - containerPort: 8080 @@ -354,9 +354,19 @@ operator match the snapshot: cpu: 150m memory: 128Mi securityContext: + readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: account-operator + startupProbe: + failureThreshold: 30 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 volumeMounts: null - serviceAccountName: RELEASE-NAME-account-operator + serviceAccountName: account-operator terminationGracePeriodSeconds: 10 volumes: null 5: | @@ -365,8 +375,7 @@ operator match the snapshot: - name: github kind: ServiceAccount metadata: - name: RELEASE-NAME-account-operator - namespace: NAMESPACE + name: account-operator operator match the snapshot (with kubeconfigSecret): 1: | apiVersion: apiextensions.k8s.io/v1 @@ -578,7 +587,7 @@ operator match the snapshot (with kubeconfigSecret): apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: RELEASE-NAME-account-operator + name: account-operator rules: - apiGroups: - core.openmfp.io @@ -634,32 +643,31 @@ operator match the snapshot (with kubeconfigSecret): apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: RELEASE-NAME-account-operator + name: account-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: RELEASE-NAME-account-operator + name: account-operator subjects: - kind: ServiceAccount - name: RELEASE-NAME-account-operator + name: account-operator namespace: NAMESPACE 4: | apiVersion: apps/v1 kind: Deployment metadata: - name: RELEASE-NAME-account-operator - namespace: NAMESPACE + name: account-operator spec: revisionHistoryLimit: 3 selector: matchLabels: - service: RELEASE-NAME-account-operator + service: account-operator template: metadata: annotations: null labels: control-plane: controller-manager - service: RELEASE-NAME-account-operator + service: account-operator spec: containers: - args: @@ -667,6 +675,7 @@ operator match the snapshot (with kubeconfigSecret): - --leader-elect - --log-level=warn - --health-probe-bind-address=:8081 + automountServiceAccountToken: false env: - name: SUBROUTINES_NAMESPACE_ENABLED value: "true" @@ -698,11 +707,11 @@ operator match the snapshot (with kubeconfigSecret): value: /api-kubeconfig/kubeconfig image: ghcr.io/openmfp/account-operator:0.0.0 livenessProbe: + failureThreshold: 1 httpGet: path: /healthz port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 + periodSeconds: 10 name: manager ports: - containerPort: 8080 @@ -719,17 +728,27 @@ operator match the snapshot (with kubeconfigSecret): periodSeconds: 10 resources: limits: - cpu: 260m + cpu: 100m memory: 512Mi requests: - cpu: 150m - memory: 128Mi + cpu: 40m + memory: 50Mi securityContext: + readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: account-operator + startupProbe: + failureThreshold: 30 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 volumeMounts: - mountPath: /api-kubeconfig name: external-api-server - serviceAccountName: RELEASE-NAME-account-operator + serviceAccountName: account-operator terminationGracePeriodSeconds: 10 volumes: - name: external-api-server @@ -741,8 +760,7 @@ operator match the snapshot (with kubeconfigSecret): - name: github kind: ServiceAccount metadata: - name: RELEASE-NAME-account-operator - namespace: NAMESPACE + name: account-operator operator match the snapshot with webhook enabled: 1: | apiVersion: apiextensions.k8s.io/v1 @@ -954,7 +972,7 @@ operator match the snapshot with webhook enabled: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: RELEASE-NAME-account-operator + name: account-operator rules: - apiGroups: - core.openmfp.io @@ -1010,35 +1028,34 @@ operator match the snapshot with webhook enabled: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: RELEASE-NAME-account-operator + name: account-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: RELEASE-NAME-account-operator + name: account-operator subjects: - kind: ServiceAccount - name: RELEASE-NAME-account-operator + name: account-operator namespace: NAMESPACE 4: | apiVersion: apps/v1 kind: Deployment metadata: annotations: - cert-manager.io/inject-ca-from: NAMESPACE/RELEASE-NAME-account-operator-serving-cert - name: RELEASE-NAME-account-operator - namespace: NAMESPACE + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator spec: revisionHistoryLimit: 3 selector: matchLabels: - service: RELEASE-NAME-account-operator + service: account-operator template: metadata: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "9443" labels: control-plane: controller-manager - service: RELEASE-NAME-account-operator + service: account-operator spec: containers: - args: @@ -1046,6 +1063,7 @@ operator match the snapshot with webhook enabled: - --leader-elect - --log-level=warn - --health-probe-bind-address=:8081 + automountServiceAccountToken: false env: - name: SUBROUTINES_NAMESPACE_ENABLED value: "true" @@ -1075,11 +1093,11 @@ operator match the snapshot with webhook enabled: value: /certs image: ghcr.io/openmfp/account-operator:0.0.0 livenessProbe: + failureThreshold: 1 httpGet: path: /healthz port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 + periodSeconds: 10 name: manager ports: - containerPort: 8080 @@ -1095,7 +1113,7 @@ operator match the snapshot with webhook enabled: httpGet: path: /readyz port: 8081 - initialDelaySeconds: 5 + initialDelaySeconds: 45 periodSeconds: 10 resources: limits: @@ -1105,39 +1123,48 @@ operator match the snapshot with webhook enabled: cpu: 150m memory: 128Mi securityContext: + readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: account-operator + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz + port: 8081 + periodSeconds: 10 volumeMounts: - mountPath: /certs name: cert readOnly: true - serviceAccountName: RELEASE-NAME-account-operator + serviceAccountName: account-operator terminationGracePeriodSeconds: 10 volumes: - name: cert secret: defaultMode: 420 - secretName: RELEASE-NAME-account-operator-webhook-server-cert + secretName: account-operator-webhook-server-cert 5: | apiVersion: v1 imagePullSecrets: - name: github kind: ServiceAccount metadata: - name: RELEASE-NAME-account-operator - namespace: NAMESPACE + name: account-operator 6: | apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: NAMESPACE/RELEASE-NAME-account-operator-serving-cert - name: RELEASE-NAME-account-operator-mutating-webhook-configuration + cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert + name: account-operator-mutating-webhook-configuration webhooks: - admissionReviewVersions: - v1 clientConfig: service: - name: RELEASE-NAME-account-operator-webhook + name: account-operator-webhook namespace: NAMESPACE path: /mutate-core-openmfp-io-v1alpha1-account failurePolicy: Fail @@ -1156,30 +1183,27 @@ operator match the snapshot with webhook enabled: apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: RELEASE-NAME-account-operator-selfsigned-issuer - namespace: null + name: account-operator-selfsigned-issuer spec: selfSigned: {} 8: | apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: RELEASE-NAME-account-operator-serving-cert - namespace: null + name: account-operator-serving-cert spec: dnsNames: - - RELEASE-NAME-account-operator-webhook.NAMESPACE.svc - - RELEASE-NAME-account-operator-webhook.NAMESPACE.svc.cluster.local + - account-operator-webhook.NAMESPACE.svc + - account-operator-webhook.NAMESPACE.svc.cluster.local issuerRef: kind: Issuer - name: RELEASE-NAME-account-operator-selfsigned-issuer - secretName: RELEASE-NAME-account-operator-webhook-server-cert + name: account-operator-selfsigned-issuer + secretName: account-operator-webhook-server-cert 9: | apiVersion: v1 kind: Service metadata: - name: RELEASE-NAME-account-operator-webhook - namespace: NAMESPACE + name: account-operator-webhook spec: ports: - port: 443 @@ -1187,4 +1211,4 @@ operator match the snapshot with webhook enabled: targetPort: 9443 selector: control-plane: controller-manager - service: RELEASE-NAME-account-operator + service: account-operator diff --git a/charts/account-operator/tests/deployment_test.yaml b/charts/account-operator/tests/deployment_test.yaml index 0ab28c0f8..0f5acf693 100644 --- a/charts/account-operator/tests/deployment_test.yaml +++ b/charts/account-operator/tests/deployment_test.yaml @@ -1,8 +1,21 @@ suite: operator chart: appVersion: 0.0.0 +release: + name: account-operator tests: - it: operator match the snapshot + set: + # health: + # portOverride: 8080 + deployment: + resources: + limits: + cpuOverride: 260m + memoryOverride: 512Mi + requests: + cpuOverride: 150m + memoryOverride: 128Mi asserts: - matchSnapshot: {} - it: operator match the snapshot (with kubeconfigSecret) @@ -12,7 +25,44 @@ tests: - matchSnapshot: {} - it: operator match the snapshot with webhook enabled set: + health: + # portOverride: 8081 + liveness: + pathOverride: "/healthz" + # failureThreshold: 1 + startup: + pathOverride: "/healthz" + readiness: + initialDelaySecondsOverride: 45 webhooks: enabled: true + certDir: /certs + deployment: + resources: + limits: + cpuOverride: 260m + memoryOverride: 512Mi + requests: + cpuOverride: 150m + memoryOverride: 128Mi + asserts: + - matchSnapshot: {} + - it: deployment with security context + template: deployment.yaml + set: + security: + mountServiceAccountToken: true asserts: - - matchSnapshot: {} \ No newline at end of file + - equal: + path: spec.template.spec.containers[0].securityContext + value: + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + - equal: + path: spec.template.spec.containers[0].serviceAccountName + value: account-operator + - equal: + path: spec.template.spec.containers[0].automountServiceAccountToken + value: true diff --git a/charts/account-operator/values.yaml b/charts/account-operator/values.yaml index 6ba72de92..29c70e9b6 100644 --- a/charts/account-operator/values.yaml +++ b/charts/account-operator/values.yaml @@ -1,53 +1,62 @@ image: + # -- The image repository name: ghcr.io/openmfp/account-operator + # -- The image tag tag: latest -imagePullSecret: "github" - crds: + # -- Enable CRDs enabled: true webhooks: + # -- Enable webhooks enabled: false + # -- The directory for webhook certificates certDir: /certs -health: - port: 8081 - -metrics: - port: 8080 - -deployment: - specTemplate: - annotations: {} - labels: {} - revisionHistoryLimit: 3 - resources: - limits: - cpu: 260m - memory: 512Mi - requests: - cpu: 150m - memory: 128Mi - +# -- The KCP configuration kcp: + # -- Enable KCP enabled: false + # -- The URL for the virtual workspace virtualWorkspaceUrl: "" subroutines: namespace: + # -- Enable namespace subroutines enabled: true fga: + # -- Enable FGA subroutines enabled: true + # -- The gRPC address for FGA grpcAddr: "" + # -- The root namespace for FGA rootNamespace: openmfp-root + # -- The object type for FGA objectType: account + # -- The parent relation for FGA parentRelation: parent + # -- The creator relation for FGA creatorRelation: owner extension: + # -- Enable extension subroutines enabled: true extensionReady: + # -- Enable extension ready subroutines enabled: true +# -- The secret for kubeconfig kubeconfigSecret: "" +# -- The log level logLevel: warn + +security: + # -- Mount the service account token + mountServiceAccountToken: false + +deployment: + specTemplate: + # -- The annotations for the deployment + annotations: {} + # -- The labels for the deployment + labels: {} diff --git a/charts/common/.helmignore b/charts/common/.helmignore new file mode 100644 index 000000000..0d5e3a46b --- /dev/null +++ b/charts/common/.helmignore @@ -0,0 +1 @@ +test-chart \ No newline at end of file diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 72d57d310..ac360c91d 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -4,4 +4,4 @@ description: A Helm chart for Kubernetes type: library -version: 0.1.4 +version: 0.1.5 diff --git a/charts/common/README.md b/charts/common/README.md new file mode 100644 index 000000000..1530d9276 --- /dev/null +++ b/charts/common/README.md @@ -0,0 +1,54 @@ +# common + +A Helm chart for Kubernetes + +![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) + +## Additional Information + +The `common` chart is a library of common resources that are shared across all other charts in the repository. It has no templates, but provides helm template functions and default values that can be used by other charts. + +## Values + +The values in the `defaults:` section can be reused from other charts by using the lookup function "common.getKeyValue". It implements lookup on three levels: + +1. Looks for `keyOverride` in the chart's values.yaml +2. Looks for `global.key` in the chart's or parent chart's values.yaml +3. Uses the `key` in the chart's values.yaml +4. Uses the `common.defaults.key` value from the table below. + +1 has precendence over 2 over 3 over 4 respectively. This approach allows for individual charts to have minimal configuration, while still being able to override parameters locally. + +Example +``` +1) .Values.deployment.resources.limits.memoryOveride = 4096MB +2) .Values.global.deployment.resources.limits.memory = 2048MB +3) .Values.deployment.resources.limits.memory = 1024MB +4) .Values.common.defaults.deployment.resources.limits.memory = default 512MB +``` + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| defaults.certManager.enabled | bool | `false` | toggle to enable/disable cert-manager | +| defaults.deployment.maxSurge | int | `5` | maxSurge | +| defaults.deployment.maxUnavailable | int | `0` | maxUnavailable | +| defaults.deployment.resources.limits | object | `{"cpu":"100m","memory":"512Mi"}` | cpu and memory limits for the deployment | +| defaults.deployment.resources.requests | object | `{"cpu":"40m","memory":"50Mi"}` | cpu and memory requests for the deployment | +| defaults.deployment.revisionHistoryLimit | int | `3` | deployment revision history limit | +| defaults.deployment.strategy | string | `"RollingUpdate"` | deployment strategy | +| defaults.externalSecrets.enabled | bool | `true` | toggle to enable/disable external-secrets | +| defaults.health.liveness | object | `{"failureThreshold":1,"path":"/healthz"}` | liveness probe parameters | +| defaults.health.periodSeconds | int | `10` | health period | +| defaults.health.port | int | `8081` | health port | +| defaults.health.readiness | object | `{"initialDelaySeconds":5,"path":"/readyz","periodSeconds":10}` | readiness probe parameters | +| defaults.health.startup | object | `{"failureThreshold":30,"path":"/readyz"}` | startup probe parameters | +| defaults.imagePullPolicy | string | `"Always"` | imagePullPolicy is the policy to use when pulling images for all charts | +| defaults.imagePullSecret | string | `"github"` | imagePullSecret is the name of the secret that holds the docker registry credentials | +| defaults.istio.enabled | bool | `false` | toggle to enable/disable istio | +| defaults.istio.gateway.name | string | `"gateway"` | name of the gateway | +| defaults.metrics.port | int | `8080` | metrics port | +| defaults.port | int | `8080` | service port | +| defaults.securityContext.fsGroup | int | `2000` | fsGroup id to run the container | +| defaults.securityContext.runAsGroup | int | `3000` | group id to run the container | +| defaults.securityContext.runAsUser | int | `1000` | user id to run the container | + diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl new file mode 100644 index 000000000..94146d84e --- /dev/null +++ b/charts/common/README.md.gotmpl @@ -0,0 +1,33 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +## Additional Information + +The `common` chart is a library of common resources that are shared across all other charts in the repository. It has no templates, but provides helm template functions and default values that can be used by other charts. + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesHeader" . }} + +The values in the `defaults:` section can be reused from other charts by using the lookup function "common.getKeyValue". It implements lookup on three levels: + +1. Looks for `keyOverride` in the chart's values.yaml +2. Looks for `global.key` in the chart's or parent chart's values.yaml +3. Uses the `key` in the chart's values.yaml +4. Uses the `common.defaults.key` value from the table below. + +1 has precendence over 2 over 3 over 4 respectively. This approach allows for individual charts to have minimal configuration, while still being able to override parameters locally. + +Example +``` +1) .Values.deployment.resources.limits.memoryOveride = 4096MB +2) .Values.global.deployment.resources.limits.memory = 2048MB +3) .Values.deployment.resources.limits.memory = 1024MB +4) .Values.common.defaults.deployment.resources.limits.memory = default 512MB +``` + +{{ template "chart.valuesTable" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/common/templates/_certManagerEnabled.tpl b/charts/common/templates/_certManagerEnabled.tpl deleted file mode 100644 index f46f4dee1..000000000 --- a/charts/common/templates/_certManagerEnabled.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{- define "common.certManagerEnabled" -}} -{{- default (.Values.certManager).enabled (((.Values.global).certManager).enabled) -}} -{{- end -}} \ No newline at end of file diff --git a/charts/common/templates/_deploymentHelpers.tpl b/charts/common/templates/_deploymentHelpers.tpl new file mode 100644 index 000000000..3c42259c7 --- /dev/null +++ b/charts/common/templates/_deploymentHelpers.tpl @@ -0,0 +1,140 @@ +{{- define "common.deploymentBasics" }} +strategy: + rollingUpdate: + maxSurge: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.maxSurge") }} + maxUnavailable: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.maxUnavailable") }} + type: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.strategy") }} +revisionHistoryLimit: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.revisionHistoryLimit") }} +selector: + matchLabels: + app: {{ .Release.Name }} +{{- end }} +{{- define "common.podBasics" }} +name: {{ .Release.Name }} +image: "{{ .Values.image.name }}:{{ .Values.image.tag }}" +{{ include "common.resources" . }} +{{ include "common.ports" . }} +{{- end }} +{{- define "common.resources" }} +resources: + limits: + cpu: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.resources.limits.cpu") }} + memory: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.resources.limits.memory") }} + requests: + cpu: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.resources.requests.cpu") }} + memory: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.resources.requests.memory") }} +{{- end }} +{{- define "common.ports" }} +ports: + - name: http + containerPort: {{ include "common.getKeyValue" (dict "Values" .Values "key" "port") }} + protocol: TCP + {{ include "common.PortsMetricsHealth" (dict "Values" .Values) | nindent 2 }} +{{- end}} + +{{- define "common.technicalIssuers" }} +{{- $technicalIssuers := list }} +{{- range $issuer, $config := .Values.trustedIssuers }} +{{- if $config.isTechnicalIssuer }} +{{- $technicalIssuers = append $technicalIssuers $config.url}} +{{- end}} +{{- end}} +{{- join "," $technicalIssuers }} +{{- end}} + +{{- define "common.basicEnvironment" }} +- name: LOG_LEVEL + value: {{ (.Values.log).level | default "info" }} +- name: REGION + value: {{ .Values.region }} +- name: ENVIRONMENT + value: {{ .Values.environment }} +- name: SENTRY_ENVIRONMENT + value: {{ .Values.sentry.environment | default .Values.environment }} +- name: IMAGE_TAG + value: "{{ .Values.image.tag }}" +- name: IMAGE_NAME + value: "{{ .Values.image.name }}" +{{- $technicalIssuers := include "common.technicalIssuers" . }} +{{- if $technicalIssuers }} +- name: TECHNICAL_ISSUERS + value: {{ $technicalIssuers }} +{{- end }} +{{- include "common.sentry-env" . }} +- name: DIRECTIVES_AUTHORIZATION_ENABLED + value: "{{ ((.Values.directives).authorization).enabled | default false }}" +{{- end }} +{{- define "common.basicService" }} +- name: PORT + value: "{{ .Values.port }}" +{{- end }} +{{- define "common.basicJob" }} +- name: ISTIO_QUIT_API + value: http://127.0.0.1:15020 +{{- end }} +{{- define "common.collectorEnvironment" }} +- name: COLLECTOR_SERVICE_NAME + value: {{ .Release.Name }}.{{ .Release.Namespace }} +- name: COLLECTOR_SERVICE_VERSION + value: {{ .Release.Revision | quote }} +- name: COLLECTOR_ENDPOINT + value: {{ (and .Values.otel .Values.otel.collectorEndpoint) | default "localhost:4317" }} +{{- end }} +{{- define "common.healthEnvironment" }} +- name: HEALTH_PORT + value: "{{ (.Values.health).port | default 3389 }}" +{{- end }} +{{- define "common.healthAndReadiness" }} +{{ include "common.operatorHealthAndReadyness" . }} +{{- end }} +{{- define "common.operatorHealthAndReadyness" }} +livenessProbe: + httpGet: + path: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.liveness.path") }} + port: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }} + failureThreshold: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.liveness.failureThreshold") }} + periodSeconds: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.periodSeconds") }} +startupProbe: + httpGet: + path: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.startup.path") }} + port: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }} + failureThreshold: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.startup.failureThreshold") }} + periodSeconds: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.periodSeconds") }} +readinessProbe: + httpGet: + path: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.readiness.path") }} + port: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }} + initialDelaySeconds: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.readiness.initialDelaySeconds") }} + periodSeconds: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.periodSeconds") }} +{{- end }} +{{- define "common.terminationGracePeriodSeconds" -}} +{{ .Values.terminationGracePeriodSeconds | default 10 }} +{{- end }} +{{- define "common.imagePullPolicy" -}} +{{ include "common.getKeyValue" (dict "Values" .Values "key" "imagePullPolicy") }} +{{- end }} +{{- define "common.PortsMetricsHealth" -}} +- name: metrics + containerPort: {{ include "common.getKeyValue" (dict "Values" .Values "key" "metrics.port") }} + protocol: TCP +- name: health-port + containerPort: {{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }} + protocol: TCP +{{- end -}} + +{{- define "common.container.securityContext" -}} +securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +serviceAccountName: {{ .Release.Name }} +automountServiceAccountToken: {{ not (eq (.Values.security).mountServiceAccountToken false) }} +{{- end }} + +{{- define "common.spec.securityContext" -}} +securityContext: + runAsUser: {{ include "common.getKeyValue" (dict "Values" .Values "key" "securityContext.runAsUser") }} + runAsGroup: {{ include "common.getKeyValue" (dict "Values" .Values "key" "securityContext.runAsGroup") }} + fsGroup: {{ include "common.getKeyValue" (dict "Values" .Values "key" "securityContext.fsGroup") }} +{{- end }} diff --git a/charts/common/templates/_getKeyLookup.tpl b/charts/common/templates/_getKeyLookup.tpl new file mode 100644 index 000000000..e73ec45ac --- /dev/null +++ b/charts/common/templates/_getKeyLookup.tpl @@ -0,0 +1,92 @@ +{{/* + Function: common.getKeyValue + Description: + Retrieves a value from values.yaml by checking keys in this order: + 1. Override key, 2. Global key, 3. Chart key ,4. Default key. Returns an empty string if none exist. + + Parameters: + - .key: Key path to lookup. + - .Values: Values object. +*/}} +{{- define "common.getKeyValue" -}} + {{- $keyPath := .key -}} + {{- $values := .Values -}} + + {{- $overrideKey := printf "%sOverride" $keyPath -}} + {{- $globalKey := printf "global.%s" $keyPath -}} + {{- $defaultKey := printf "common.defaults.%s" $keyPath -}} + + {{- $value := "" -}} + {{- if eq (include "common.hasNestedKey" (dict "Values" $values "key" $overrideKey)) "true" }} + {{- $value = include "common.getNestedValue" (dict "Values" $values "key" $overrideKey) }} + {{- else if eq (include "common.hasNestedKey" (dict "Values" $values "key" $globalKey)) "true" }} + {{- $value = include "common.getNestedValue" (dict "Values" $values "key" $globalKey) }} + {{- else if eq (include "common.hasNestedKey" (dict "Values" $values "key" $keyPath)) "true" }} + {{- $value = include "common.getNestedValue" (dict "Values" $values "key" $keyPath) }} + {{- else if eq (include "common.hasNestedKey" (dict "Values" $values "key" $defaultKey)) "true" }} + {{- $value = include "common.getNestedValue" (dict "Values" $values "key" $defaultKey) }} + {{- else -}} + {{- $value = "" -}} + {{- end -}} + {{- $value -}} +{{- end }} + + +{{- define "common.hasNestedKey" -}} +{{- /* +This function checks recursively if a nested key exists within a map. +Usage: {{ include "common.hasNestedKey" (dict "Values" .Values "key" "key1.key2.key3") }} +Returns: true or false (boolean). +*/ -}} + {{- $map := .Values -}} + {{- $keyPath := splitList "." .key -}} + {{- $output := false -}} + + {{- if not (kindIs "map" $map) }} + {{- $output = false -}} + {{- else if eq (len $keyPath) 1 }} + {{- $output = hasKey $map (first $keyPath) -}} + {{- else }} + {{- $currentKey := first $keyPath -}} + {{- $remainingKeys := rest $keyPath | join "." -}} + {{- $nextMap := get $map $currentKey -}} + {{- if kindIs "map" $nextMap }} + {{- $output = include "common.hasNestedKey" (dict "Values" $nextMap "key" $remainingKeys) -}} + {{- else }} + {{- $output = false -}} + {{- end }} + {{- end }} + {{- $output -}} +{{- end }} + + + +{{- define "common.getNestedValue" -}} +{{- /* +This function retrieves the value at a nested key within a map. +Usage: {{ include "common.getNestedValue" (dict "Values" .Values "key" "key1.key2.key3") }} +Returns: The value at the nested key path or "null" if the path does not exist. +*/ -}} + {{- $map := .Values -}} + {{- $keyPath := splitList "." .key -}} + + {{- if not (kindIs "map" $map) }} + {{- fail "common.getNestedValue: Values must be a map" -}} + {{- else if eq (len $keyPath) 1 }} + {{- if hasKey $map (first $keyPath) }} + {{- get $map (first $keyPath) -}} + {{- else }} + {{- "null" -}} + {{- end }} + {{- else }} + {{- $currentKey := first $keyPath -}} + {{- $remainingKeys := rest $keyPath | join "." -}} + {{- if hasKey $map $currentKey }} + {{- include "common.getNestedValue" (dict "Values" (get $map $currentKey) "key" $remainingKeys) -}} + {{- else }} + {{- "null" -}} + {{- end }} + {{- end }} +{{- end }} + + diff --git a/charts/common/templates/_imagePullSecret.tpl b/charts/common/templates/_imagePullSecret.tpl index 6accdd07c..75b879e7f 100644 --- a/charts/common/templates/_imagePullSecret.tpl +++ b/charts/common/templates/_imagePullSecret.tpl @@ -1,4 +1,4 @@ {{- define "common.imagePullSecret" }} imagePullSecrets: - - name: {{ default .Values.imagePullSecret (.Values.global).imagePullSecret }} + - name: {{ include "common.getKeyValue" (dict "Values" .Values "key" "imagePullSecret") }} {{- end -}} \ No newline at end of file diff --git a/charts/common/templates/_istioEnabled.tpl b/charts/common/templates/_istioEnabled.tpl index 778182c2f..218f1affc 100644 --- a/charts/common/templates/_istioEnabled.tpl +++ b/charts/common/templates/_istioEnabled.tpl @@ -1,3 +1,3 @@ {{- define "common.istioEnabled" -}} -{{- default (.Values.istio).enabled (((.Values.global).istio).enabled) -}} +{{ include "common.getKeyValue" (dict "Values" .Values "key" "istio.enabled") }} {{- end -}} \ No newline at end of file diff --git a/charts/common/templates/_tplvalues.tpl b/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..b7fb8bd5a --- /dev/null +++ b/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,19 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/common/test-chart/Chart.lock b/charts/common/test-chart/Chart.lock index 0e52e7a74..a6d4a2f8d 100644 --- a/charts/common/test-chart/Chart.lock +++ b/charts/common/test-chart/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: file://.. - version: 0.1.4 -digest: sha256:03b950f56aee5eb8a4a6fb02669d74e1f7858f0c69d3162ae63b2e633f7c2686 -generated: "2024-11-20T13:25:22.886154+01:00" + version: 0.1.5 +digest: sha256:4922b07dc901a2efda0b3d40954a68fa4dc360421bffdcaf96889b31a972f9b4 +generated: "2024-11-26T14:45:17.586883648+02:00" diff --git a/charts/common/test-chart/Chart.yaml b/charts/common/test-chart/Chart.yaml index 52f1bbebc..079b84532 100644 --- a/charts/common/test-chart/Chart.yaml +++ b/charts/common/test-chart/Chart.yaml @@ -25,5 +25,5 @@ appVersion: "1.16.0" dependencies: - name: common - version: 0.1.4 - repository: file://.. \ No newline at end of file + version: 0.1.5 + repository: file://.. diff --git a/charts/common/test-chart/charts/common-0.1.4.tgz b/charts/common/test-chart/charts/common-0.1.4.tgz deleted file mode 100644 index e0e259d2d..000000000 Binary files a/charts/common/test-chart/charts/common-0.1.4.tgz and /dev/null differ diff --git a/charts/common/test-chart/charts/common-0.1.5.tgz b/charts/common/test-chart/charts/common-0.1.5.tgz new file mode 100644 index 000000000..689530f88 Binary files /dev/null and b/charts/common/test-chart/charts/common-0.1.5.tgz differ diff --git a/charts/common/test-chart/templates/testHasNestedKey.yaml b/charts/common/test-chart/templates/testHasNestedKey.yaml new file mode 100644 index 000000000..ab31071ff --- /dev/null +++ b/charts/common/test-chart/templates/testHasNestedKey.yaml @@ -0,0 +1,6 @@ +kind: Test +apiVersion: v1 +metadata: + name: testKeyFunctions +spec: + check: {{ include "common.hasNestedKey" (dict "Values" .Values "key" "testkey.enabled") }} diff --git a/charts/common/test-chart/templates/valueLookup.yaml b/charts/common/test-chart/templates/valueLookup.yaml new file mode 100644 index 000000000..2bcab1d40 --- /dev/null +++ b/charts/common/test-chart/templates/valueLookup.yaml @@ -0,0 +1,7 @@ +kind: Test +apiVersion: v1 +metadata: + name: test +spec: + certManager: + enabled: {{ include "common.getKeyValue" (dict "Values" .Values "key" "testkey.enabled") }} diff --git a/charts/common/test-chart/templates/vs.yaml b/charts/common/test-chart/templates/vs.yaml index 0f38c84b5..8dc8380f6 100644 --- a/charts/common/test-chart/templates/vs.yaml +++ b/charts/common/test-chart/templates/vs.yaml @@ -3,7 +3,6 @@ apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} spec: gateways: - {{ .Release.Namespace }}/gateway diff --git a/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap b/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap index 5fdbf1740..ebb28bc07 100644 --- a/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap +++ b/charts/common/test-chart/tests/__snapshot__/istio_test.yaml.snap @@ -4,7 +4,6 @@ test global value: kind: VirtualService metadata: name: RELEASE-NAME-test-chart - namespace: NAMESPACE spec: gateways: - NAMESPACE/gateway @@ -26,7 +25,6 @@ test local value: kind: VirtualService metadata: name: RELEASE-NAME-test-chart - namespace: NAMESPACE spec: gateways: - NAMESPACE/gateway diff --git a/charts/common/test-chart/tests/hasNestedKey_test.yaml b/charts/common/test-chart/tests/hasNestedKey_test.yaml new file mode 100644 index 000000000..bdc3b48c4 --- /dev/null +++ b/charts/common/test-chart/tests/hasNestedKey_test.yaml @@ -0,0 +1,42 @@ +suite: hasNestedKey +templates: + - testHasNestedKey.yaml +tests: + - it: nested key not found due to missing values + asserts: + - equal: + path: spec.check + value: false + - it: key configured - string + set: + testkey: + enabled: foo + asserts: + - equal: + path: spec.check + value: true + - it: key configured - bool + set: + testkey: + enabled: true + asserts: + - equal: + path: spec.check + value: true + - it: key configured - object + set: + testkey: + enabled: + some: object + asserts: + - equal: + path: spec.check + value: true + - it: key multilevel - wrong type + set: + level1: + testkey: "foo" + asserts: + - equal: + path: spec.check + value: false diff --git a/charts/common/test-chart/tests/istio_test.yaml b/charts/common/test-chart/tests/istio_test.yaml index 5ce68dd65..8ff6ffdb8 100644 --- a/charts/common/test-chart/tests/istio_test.yaml +++ b/charts/common/test-chart/tests/istio_test.yaml @@ -3,6 +3,8 @@ templates: - vs.yaml values: - ../values.yaml +chart: + namespace: default tests: - it: test global value asserts: diff --git a/charts/common/test-chart/tests/valueLookup_test.yaml b/charts/common/test-chart/tests/valueLookup_test.yaml new file mode 100644 index 000000000..bdc39ba4f --- /dev/null +++ b/charts/common/test-chart/tests/valueLookup_test.yaml @@ -0,0 +1,87 @@ +suite: valueLookup +templates: + - valueLookup.yaml +tests: + - it: unknown key not found neither in 'defaults' nor in 'Override' neither in 'global' + asserts: + - equal: + path: spec.certManager.enabled + value: null + - it: override - overwrite value is taken, without defaults + set: + testkey: + enabledOverride: true + asserts: + - equal: + path: spec.certManager.enabled + value: true + - it: override - overwrites all other defaults + set: + testkey: + enabledOverride: true + enabled: false + global: + testkey: + enabled: false + common: + defaults: + testkey: + enabled: false + asserts: + - equal: + path: spec.certManager.enabled + value: true + - it: global - value is taken, without defaults + set: + global: + testkey: + enabled: true + asserts: + - equal: + path: spec.certManager.enabled + value: true + - it: global - global precedence over locals and defaults + set: + testkey: + enabled: false + global: + testkey: + enabled: true + common: + defaults: + testkey: + enabled: false + asserts: + - equal: + path: spec.certManager.enabled + value: true + - it: local - value is taken, without defaults + set: + testkey: + enabled: true + asserts: + - equal: + path: spec.certManager.enabled + value: true + - it: local - precedence over defaults + set: + testkey: + enabled: true + common: + defaults: + testkey: + enabled: false + asserts: + - equal: + path: spec.certManager.enabled + value: true + - it: default - value is taken + set: + common: + defaults: + testkey: + enabled: true + asserts: + - equal: + path: spec.certManager.enabled + value: true diff --git a/charts/common/test-chart/values.yaml b/charts/common/test-chart/values.yaml index f39056bb1..e69de29bb 100644 --- a/charts/common/test-chart/values.yaml +++ b/charts/common/test-chart/values.yaml @@ -1 +0,0 @@ -a: b \ No newline at end of file diff --git a/charts/common/values.yaml b/charts/common/values.yaml index e69de29bb..5f22953ba 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -0,0 +1,75 @@ +defaults: + + # -- service port + port: 8080 + + certManager: + # -- toggle to enable/disable cert-manager + enabled: false + + # -- imagePullSecret is the name of the secret that holds the docker registry credentials + imagePullSecret: "github" + + # -- imagePullPolicy is the policy to use when pulling images for all charts + imagePullPolicy: Always + + deployment: + resources: + # -- cpu and memory limits for the deployment + limits: + cpu: "100m" + memory: "512Mi" + # -- cpu and memory requests for the deployment + requests: + cpu: "40m" + memory: "50Mi" + # -- maxSurge + maxSurge: 5 + # -- maxUnavailable + maxUnavailable: 0 + # -- deployment strategy + strategy: RollingUpdate + # -- deployment revision history limit + revisionHistoryLimit: 3 + + health: + # -- health port + port: 8081 + # -- health period + periodSeconds: 10 + # -- readiness probe parameters + readiness: + path: "/readyz" + initialDelaySeconds: 5 + periodSeconds: 10 + # -- liveness probe parameters + liveness: + path: "/healthz" + failureThreshold: 1 + # -- startup probe parameters + startup: + path: "/readyz" + failureThreshold: 30 + + metrics: + # -- metrics port + port: 8080 + + istio: + # -- toggle to enable/disable istio + enabled: false + gateway: + # -- name of the gateway + name: gateway + + securityContext: + # -- user id to run the container + runAsUser: 1000 + # -- group id to run the container + runAsGroup: 3000 + # -- fsGroup id to run the container + fsGroup: 2000 + + externalSecrets: + # -- toggle to enable/disable external-secrets + enabled: true diff --git a/charts/example-content/Chart.lock b/charts/example-content/Chart.lock index 38e77fea3..a35e3fded 100644 --- a/charts/example-content/Chart.lock +++ b/charts/example-content/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common - repository: oci://ghcr.io/openmfp/helm-charts - version: 0.1.4 -digest: sha256:c551412b9fb78781c0b5f50d75927891fe1b124db6e7f75662494cb2af5124a6 -generated: "2024-11-21T15:21:18.817499816+02:00" + repository: file://../common + version: 0.1.5 +digest: sha256:22600e7bfcab429b2e013cb3ff4ad21252274de627cccb908c95cc025ef150ce +generated: "2024-11-27T19:50:11.199614661+02:00" diff --git a/charts/example-content/Chart.yaml b/charts/example-content/Chart.yaml index 19a2b4c69..31fe2e0d8 100644 --- a/charts/example-content/Chart.yaml +++ b/charts/example-content/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 appVersion: "0.126.0" description: Helm Chart for the openmfp Portal name: example-content -version: 0.110.7 +version: 0.110.8 dependencies: - name: common - version: 0.1.4 - repository: oci://ghcr.io/openmfp/helm-charts + version: 0.1.5 + repository: file://../common diff --git a/charts/example-content/README.MD b/charts/example-content/README.MD index 0de306dd9..b0913446c 100644 --- a/charts/example-content/README.MD +++ b/charts/example-content/README.MD @@ -1,12 +1,21 @@ -# Helm chart of the jukebox +# example-content -## Execute the linting in the pipeline +![Version: 0.110.6](https://img.shields.io/badge/Version-0.110.6-informational?style=flat-square) ![AppVersion: 0.124.0](https://img.shields.io/badge/AppVersion-0.124.0-informational?style=flat-square) -```shell -helm lint -f test-values.yaml -``` +Helm Chart for the openmfp Portal + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../common | common | 0.1.5 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.name | string | `"ghcr.io/openmfp/example-content"` | The image name | +| istio.virtualService.hosts[0] | string | `"your-host.com"` | | +| istio.virtualService.matchers[0].match[0].uri.exact | string | `"/ui/example-content"` | | +| istio.virtualService.matchers[0].match[1].uri.prefix | string | `"/ui/example-content/"` | | -## Debug the chart output -```shell -helm template --debug . -f test-values.yaml -``` diff --git a/charts/example-content/README.md b/charts/example-content/README.md new file mode 100644 index 000000000..8660f5348 --- /dev/null +++ b/charts/example-content/README.md @@ -0,0 +1,21 @@ +# example-content + +![Version: 0.110.7](https://img.shields.io/badge/Version-0.110.7-informational?style=flat-square) ![AppVersion: 0.126.0](https://img.shields.io/badge/AppVersion-0.126.0-informational?style=flat-square) + +Helm Chart for the openmfp Portal + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../common | common | 0.1.5 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.name | string | `"ghcr.io/openmfp/example-content"` | The image name | +| istio.virtualService.hosts[0] | string | `"your-host.com"` | | +| istio.virtualService.matchers[0].match[0].uri.exact | string | `"/ui/example-content"` | | +| istio.virtualService.matchers[0].match[1].uri.prefix | string | `"/ui/example-content/"` | | + diff --git a/charts/example-content/charts/common-0.1.4.tgz b/charts/example-content/charts/common-0.1.4.tgz deleted file mode 100644 index 9b8721b64..000000000 Binary files a/charts/example-content/charts/common-0.1.4.tgz and /dev/null differ diff --git a/charts/example-content/charts/common-0.1.5.tgz b/charts/example-content/charts/common-0.1.5.tgz new file mode 100644 index 000000000..da1b3a71b Binary files /dev/null and b/charts/example-content/charts/common-0.1.5.tgz differ diff --git a/charts/example-content/templates/deploy.yaml b/charts/example-content/templates/deploy.yaml index f63f9ce57..ca7bf5f22 100644 --- a/charts/example-content/templates/deploy.yaml +++ b/charts/example-content/templates/deploy.yaml @@ -2,15 +2,14 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} labels: app: {{ include "common.entity.name" . }} spec: strategy: rollingUpdate: - maxSurge: {{ .Values.deployment.maxSurge }} - maxUnavailable: {{ .Values.deployment.maxUnavailable }} - revisionHistoryLimit: 3 + maxSurge: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.maxSurge") }} + maxUnavailable: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.maxUnavailable") }} + revisionHistoryLimit: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.revisionHistoryLimit") }} selector: matchLabels: app: {{ include "common.entity.name" . }} @@ -20,29 +19,17 @@ spec: app: {{ include "common.entity.name" . }} spec: serviceAccountName: {{ include "common.entity.name" . }} - securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 + {{- include "common.spec.securityContext" (dict "Values" .Values) | nindent 6 }} containers: - name: {{ include "common.entity.name" . }} image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - readOnlyRootFilesystem: true + imagePullPolicy: {{ include "common.getKeyValue" (dict "Values" .Values "key" "imagePullPolicy") }} + {{- include "common.container.securityContext" (dict "Values" .Values "Release" .Release) | nindent 8 }} env: - name: PORT - value: "{{ .Values.port }}" - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 40m - memory: 50Mi - ports: - - name: http - containerPort: {{ .Values.port }} + value: "{{ include "common.getKeyValue" (dict "Values" .Values "key" "port") -}}" + {{- include "common.resources" . | nindent 8 -}} + {{- include "common.ports" (dict "Values" .Values) | nindent 8 }} volumeMounts: - name: tmp-volume mountPath: /var/cache/nginx diff --git a/charts/example-content/templates/istio-virtual-service.yaml b/charts/example-content/templates/istio-virtual-service.yaml index 44ce3fa84..abfd66e23 100644 --- a/charts/example-content/templates/istio-virtual-service.yaml +++ b/charts/example-content/templates/istio-virtual-service.yaml @@ -1,4 +1,4 @@ -{{- if eq (include "common.istioEnabled" .) "true" -}} +{{- if eq (include "common.getNestedValue" (dict "Values" .Values "key" "istio.enabled")) "true" -}} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: gateways: - - {{ .Release.Namespace }}/{{ .Values.istio.gateway.name }} + - {{ .Release.Namespace }}/{{ include "common.getKeyValue" (dict "Values" .Values "istio.gateway.name") }} hosts: {{- .Values.istio.virtualService.hosts | toYaml | nindent 2}} http: diff --git a/charts/example-content/templates/sa.yaml b/charts/example-content/templates/sa.yaml index 939d253d4..369bd3af0 100644 --- a/charts/example-content/templates/sa.yaml +++ b/charts/example-content/templates/sa.yaml @@ -3,5 +3,4 @@ kind: ServiceAccount metadata: name: {{ include "common.entity.name" . }} namespace: {{ .Release.Namespace }} -imagePullSecrets: - - name: {{ .Values.image.pullSecret }} +{{- include "common.imagePullSecret" (dict "Values" .Values) }} diff --git a/charts/example-content/tests/__snapshot__/deploy_test.yaml.snap b/charts/example-content/tests/__snapshot__/deploy_test.yaml.snap index 47b2a0888..8ecac1904 100644 --- a/charts/example-content/tests/__snapshot__/deploy_test.yaml.snap +++ b/charts/example-content/tests/__snapshot__/deploy_test.yaml.snap @@ -6,7 +6,6 @@ matches the snapshot: labels: app: RELEASE-NAME-example-content name: RELEASE-NAME-example-content - namespace: NAMESPACE spec: revisionHistoryLimit: 3 selector: @@ -22,24 +21,36 @@ matches the snapshot: app: RELEASE-NAME-example-content spec: containers: - - env: + - automountServiceAccountToken: true + env: - name: PORT value: "8080" image: ghcr.io/openmfp/example-content:1.0.0 - imagePullPolicy: IfNotPresent + imagePullPolicy: Always name: RELEASE-NAME-example-content ports: - containerPort: 8080 name: http + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP resources: limits: - cpu: "1" + cpu: 100m memory: 512Mi requests: cpu: 40m memory: 50Mi securityContext: readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: RELEASE-NAME volumeMounts: - mountPath: /var/cache/nginx name: tmp-volume @@ -65,7 +76,6 @@ matches the snapshot with FRONTEND_PORT: labels: app: RELEASE-NAME-example-content name: RELEASE-NAME-example-content - namespace: NAMESPACE spec: revisionHistoryLimit: 3 selector: @@ -81,24 +91,36 @@ matches the snapshot with FRONTEND_PORT: app: RELEASE-NAME-example-content spec: containers: - - env: + - automountServiceAccountToken: true + env: - name: PORT value: "8080" image: ghcr.io/openmfp/example-content:1.0.0 - imagePullPolicy: IfNotPresent + imagePullPolicy: Always name: RELEASE-NAME-example-content ports: - containerPort: 8080 name: http + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP resources: limits: - cpu: "1" + cpu: 100m memory: 512Mi requests: cpu: 40m memory: 50Mi securityContext: readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: RELEASE-NAME volumeMounts: - mountPath: /var/cache/nginx name: tmp-volume diff --git a/charts/example-content/tests/__snapshot__/istio_test.yaml.snap b/charts/example-content/tests/__snapshot__/istio_test.yaml.snap index 1dec3be58..0967ef424 100644 --- a/charts/example-content/tests/__snapshot__/istio_test.yaml.snap +++ b/charts/example-content/tests/__snapshot__/istio_test.yaml.snap @@ -1,23 +1 @@ -matches the snapshot: - 1: | - apiVersion: networking.istio.io/v1alpha3 - kind: VirtualService - metadata: - name: RELEASE-NAME-example-content - namespace: NAMESPACE - spec: - gateways: - - NAMESPACE/gateway - hosts: - - your-host.com - http: - - match: - - uri: - exact: /ui/example-content - - uri: - prefix: /ui/example-content/ - route: - - destination: - host: RELEASE-NAME-example-content.NAMESPACE.svc.cluster.local - port: - number: 8080 +{} diff --git a/charts/example-content/values.yaml b/charts/example-content/values.yaml index 72524ce39..612506d72 100644 --- a/charts/example-content/values.yaml +++ b/charts/example-content/values.yaml @@ -1,18 +1,8 @@ image: + # -- The image name name: ghcr.io/openmfp/example-content - pullPolicy: IfNotPresent - pullSecret: github - -deployment: - maxUnavailable: 0 - maxSurge: 5 - -port: 8080 istio: - enabled: true - gateway: - name: gateway virtualService: hosts: - your-host.com diff --git a/charts/extension-manager-operator-crds/.helmignore b/charts/extension-manager-operator-crds/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/extension-manager-operator-crds/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/extension-manager-operator-crds/Chart.yaml b/charts/extension-manager-operator-crds/Chart.yaml new file mode 100644 index 000000000..5eebe9c2c --- /dev/null +++ b/charts/extension-manager-operator-crds/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: extension-manager-operator-crds +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.3 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/extension-manager-operator-crds/README.md b/charts/extension-manager-operator-crds/README.md new file mode 100644 index 000000000..8ac00bcf6 --- /dev/null +++ b/charts/extension-manager-operator-crds/README.md @@ -0,0 +1,6 @@ +# extension-manager-operator-crds + +![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for Kubernetes + diff --git a/charts/extension-manager-operator-crds/templates/core.openmfp.io_contentconfigurations.yaml b/charts/extension-manager-operator-crds/templates/core.openmfp.io_contentconfigurations.yaml new file mode 100644 index 000000000..7a6cd3a3e --- /dev/null +++ b/charts/extension-manager-operator-crds/templates/core.openmfp.io_contentconfigurations.yaml @@ -0,0 +1,170 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: contentconfigurations.core.openmfp.io +spec: + group: core.openmfp.io + names: + kind: ContentConfiguration + listKind: ContentConfigurationList + plural: contentconfigurations + shortNames: + - cc + singular: contentconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Valid")].status + name: Valid + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ContentConfiguration is the Schema for the contentconfigurations + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ContentConfigurationSpec defines the desired state of ContentConfiguration + properties: + inlineConfiguration: + properties: + content: + type: string + contentType: + enum: + - yaml + - json + type: string + type: object + remoteConfiguration: + properties: + authentication: + properties: + secretRef: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: + type: string + type: object + contentType: + enum: + - yaml + - json + type: string + url: + type: string + type: object + type: object + status: + description: ContentConfigurationStatus defines the observed state of + ContentConfiguration + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + configurationResult: + type: string + nextReconcileTime: + format: date-time + type: string + observedGeneration: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/extension-manager-operator-crds/test-values.yaml b/charts/extension-manager-operator-crds/test-values.yaml new file mode 100644 index 000000000..c831e7c4e --- /dev/null +++ b/charts/extension-manager-operator-crds/test-values.yaml @@ -0,0 +1 @@ +# Place values here diff --git a/charts/extension-manager-operator-crds/tests/__snapshot__/deployment_test.yaml.snap b/charts/extension-manager-operator-crds/tests/__snapshot__/deployment_test.yaml.snap new file mode 100644 index 000000000..77346470a --- /dev/null +++ b/charts/extension-manager-operator-crds/tests/__snapshot__/deployment_test.yaml.snap @@ -0,0 +1,168 @@ +operator match the snapshot: + 1: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: contentconfigurations.core.openmfp.io + spec: + group: core.openmfp.io + names: + kind: ContentConfiguration + listKind: ContentConfigurationList + plural: contentconfigurations + shortNames: + - cc + singular: contentconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Valid")].status + name: Valid + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ContentConfiguration is the Schema for the contentconfigurations API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ContentConfigurationSpec defines the desired state of ContentConfiguration + properties: + inlineConfiguration: + properties: + content: + type: string + contentType: + enum: + - yaml + - json + type: string + type: object + remoteConfiguration: + properties: + authentication: + properties: + secretRef: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: + type: string + type: object + contentType: + enum: + - yaml + - json + type: string + url: + type: string + type: object + type: object + status: + description: ContentConfigurationStatus defines the observed state of ContentConfiguration + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + configurationResult: + type: string + nextReconcileTime: + format: date-time + type: string + observedGeneration: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/extension-manager-operator-crds/tests/deployment_test.yaml b/charts/extension-manager-operator-crds/tests/deployment_test.yaml new file mode 100644 index 000000000..c46a2f9ff --- /dev/null +++ b/charts/extension-manager-operator-crds/tests/deployment_test.yaml @@ -0,0 +1,12 @@ +suite: operator +templates: + - core.openmfp.io_contentconfigurations.yaml +values: + - ../test-values.yaml +chart: + version: 0.1.1 + appVersion: 1.16.0 +tests: + - it: operator match the snapshot + asserts: + - matchSnapshot: {} \ No newline at end of file diff --git a/charts/extension-manager-operator-crds/values.yaml b/charts/extension-manager-operator-crds/values.yaml new file mode 100644 index 000000000..c831e7c4e --- /dev/null +++ b/charts/extension-manager-operator-crds/values.yaml @@ -0,0 +1 @@ +# Place values here diff --git a/charts/extension-manager-operator/.helmignore b/charts/extension-manager-operator/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/extension-manager-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/extension-manager-operator/Chart.lock b/charts/extension-manager-operator/Chart.lock new file mode 100644 index 000000000..ce05994b9 --- /dev/null +++ b/charts/extension-manager-operator/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: extension-manager-operator-crds + repository: file://../extension-manager-operator-crds + version: 0.1.3 +- name: common + repository: file://../common + version: 0.1.5 +digest: sha256:c866935aba532b7089a518053501d5e44863e0fc7ee4e6f6b5df9f324596f55b +generated: "2024-11-22T16:15:55.20032089+02:00" diff --git a/charts/extension-manager-operator/Chart.yaml b/charts/extension-manager-operator/Chart.yaml new file mode 100644 index 000000000..05805722a --- /dev/null +++ b/charts/extension-manager-operator/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: extension-manager-operator +description: A Helm chart for extension-manager-operator +type: application +version: 0.22.34 +appVersion: "0.66.0" +dependencies: + - name: extension-manager-operator-crds + version: 0.1.3 + condition: crds.enabled + repository: file://../extension-manager-operator-crds + - name: common + version: 0.1.5 + repository: file://../common diff --git a/charts/extension-manager-operator/README.md b/charts/extension-manager-operator/README.md new file mode 100644 index 000000000..4e552b051 --- /dev/null +++ b/charts/extension-manager-operator/README.md @@ -0,0 +1,22 @@ +# extension-manager-operator + +![Version: 0.22.34](https://img.shields.io/badge/Version-0.22.34-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.66.0](https://img.shields.io/badge/AppVersion-0.66.0-informational?style=flat-square) + +A Helm chart for extension-manager-operator + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../common | common | 0.1.5 | +| file://../extension-manager-operator-crds | extension-manager-operator-crds | 0.1.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | `{}` | | +| crds.enabled | bool | `true` | | +| image.name | string | `"ghcr.io/openmfp/extension-content-operator"` | | +| image.tag | string | `"0.16.0"` | | + diff --git a/charts/extension-manager-operator/charts/common-0.1.5.tgz b/charts/extension-manager-operator/charts/common-0.1.5.tgz new file mode 100644 index 000000000..bc56a6f9b Binary files /dev/null and b/charts/extension-manager-operator/charts/common-0.1.5.tgz differ diff --git a/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.1.3.tgz b/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.1.3.tgz new file mode 100644 index 000000000..f9db5e92a Binary files /dev/null and b/charts/extension-manager-operator/charts/extension-manager-operator-crds-0.1.3.tgz differ diff --git a/charts/extension-manager-operator/templates/cluster-role.yaml b/charts/extension-manager-operator/templates/cluster-role.yaml new file mode 100644 index 000000000..37b4e52c0 --- /dev/null +++ b/charts/extension-manager-operator/templates/cluster-role.yaml @@ -0,0 +1,50 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "common.entity.name" . }} +rules: +- apiGroups: + - core.openmfp.io + resources: + - contentconfigurations + - contentconfigurations/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch diff --git a/charts/extension-manager-operator/templates/cluster-rolebinding.yaml b/charts/extension-manager-operator/templates/cluster-rolebinding.yaml new file mode 100644 index 000000000..45876e6f2 --- /dev/null +++ b/charts/extension-manager-operator/templates/cluster-rolebinding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "common.entity.name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "common.entity.name" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "common.entity.name" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/charts/extension-manager-operator/templates/deployment.yaml b/charts/extension-manager-operator/templates/deployment.yaml new file mode 100644 index 000000000..eef43b3dd --- /dev/null +++ b/charts/extension-manager-operator/templates/deployment.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.entity.name" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + revisionHistoryLimit: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.revisionHistoryLimit") }} + selector: + matchLabels: + service: {{ include "common.entity.name" . }} + template: + metadata: + labels: + service: {{ include "common.entity.name" . }} + {{- if ((.Values.deployment).template).labels }} + {{ .Values.deployment.template.labels | toYaml | nindent 8 }} + {{- end }} + annotations: + sidecar.istio.io/inject: "{{ (include "common.istioEnabled" .) }}" + {{- if ((.Values.deployment).template).annotations }} + {{ .Values.deployment.template.annotations | toYaml | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "common.entity.name" . }} + containers: + - args: + - operator + - --leader-elect + - --log-level={{ .Values.logLevel }} + - '--health-probe-bind-address=:{{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }}' + image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} + imagePullPolicy: {{ include "common.imagePullPolicy" . }} + name: manager + {{ include "common.container.securityContext" . | nindent 10 }} + ports: + {{ include "common.PortsMetricsHealth" . | nindent 10 }} + {{ include "common.operatorHealthAndReadyness" . | nindent 10 }} + {{ include "common.resources" . | nindent 10 }} + terminationGracePeriodSeconds: {{ include "common.terminationGracePeriodSeconds" .}} diff --git a/charts/extension-manager-operator/templates/service-account.yaml b/charts/extension-manager-operator/templates/service-account.yaml new file mode 100644 index 000000000..490c917a9 --- /dev/null +++ b/charts/extension-manager-operator/templates/service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.entity.name" . }} +{{- include "common.imagePullSecret" . }} diff --git a/charts/extension-manager-operator/test-values.yaml b/charts/extension-manager-operator/test-values.yaml new file mode 100644 index 000000000..6cfd56954 --- /dev/null +++ b/charts/extension-manager-operator/test-values.yaml @@ -0,0 +1,2 @@ +# Test Override Values for helm unit tests +a: b diff --git a/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap new file mode 100644 index 000000000..158879b53 --- /dev/null +++ b/charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap @@ -0,0 +1,139 @@ +operator match the snapshot: + 1: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: extension-manager-operator + rules: + - apiGroups: + - core.openmfp.io + resources: + - contentconfigurations + - contentconfigurations/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: extension-manager-operator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: extension-manager-operator + subjects: + - kind: ServiceAccount + name: extension-manager-operator + namespace: NAMESPACE + 3: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: extension-manager-operator + spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + service: extension-manager-operator + template: + metadata: + annotations: + sidecar.istio.io/inject: "true" + labels: + service: extension-manager-operator + spec: + containers: + - args: + - operator + - --leader-elect + - --log-level= + - --health-probe-bind-address=:8081 + automountServiceAccountToken: true + image: ghcr.io/openmfp/extension-content-operator:1.0.0 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 1 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 + name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 260m + memory: 512Mi + requests: + cpu: 40m + memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: extension-manager-operator + startupProbe: + failureThreshold: 30 + httpGet: + path: /readyz + port: 8081 + periodSeconds: 10 + serviceAccountName: extension-manager-operator + terminationGracePeriodSeconds: 10 + 4: | + apiVersion: v1 + imagePullSecrets: + - name: github + kind: ServiceAccount + metadata: + name: extension-manager-operator diff --git a/charts/extension-manager-operator/tests/deployment_test.yaml b/charts/extension-manager-operator/tests/deployment_test.yaml new file mode 100644 index 000000000..f8a5af02e --- /dev/null +++ b/charts/extension-manager-operator/tests/deployment_test.yaml @@ -0,0 +1,100 @@ +suite: operator +templates: + - deployment.yaml + - service-account.yaml + - cluster-role.yaml + - cluster-rolebinding.yaml +values: + - ../test-values.yaml +chart: + version: 1.0.0 + appVersion: 1.0.0 +release: + name: extension-manager-operator +tests: + - it: operator match the snapshot + asserts: + - matchSnapshot: {} + set: + istio: + enabledOverride: true + health: + portOverride: 8081 + liveness: + pathOverride: /readyz + metrics: + port: 8080 + deployment: + resources: + limits: + cpuOverride: 260m + memoryOverride: 512Mi + requests: + cpuOverride: 40m + memoryOverride: 50Mi + - it: deployment with metrics probes + template: deployment.yaml + set: + health: + port: 8081 + liveness: + path: /healthz + metrics: + port: 8082 + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + failureThreshold: 1 + httpGet: + path: /healthz + port: 8081 + periodSeconds: 10 + - it: check deployment template labels + template: deployment.yaml + set: + deployment: + template: + labels: + control-plane: controller-manager + asserts: + - equal: + path: spec.template.metadata.labels.control-plane + value: controller-manager + - it: check deployment without custom labels + template: deployment.yaml + set: + deployment: + template: {} + asserts: + - equal: + path: spec.template.metadata.labels + value: + service: extension-manager-operator + - it: test imagePullPolicy override + template: deployment.yaml + set: + imagePullPolicyOverride: IfNotPresent + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: IfNotPresent + - it: override imagePullSecret + template: service-account.yaml + set: + imagePullSecretOverride: my-secret + asserts: + - equal: + path: imagePullSecrets + value: + - name: my-secret + - it: configure global imagePullSecret + template: service-account.yaml + set: + global: + imagePullSecret: my-secret + asserts: + - equal: + path: imagePullSecrets + value: + - name: my-secret \ No newline at end of file diff --git a/charts/extension-manager-operator/values.yaml b/charts/extension-manager-operator/values.yaml new file mode 100644 index 000000000..dc6b3b28d --- /dev/null +++ b/charts/extension-manager-operator/values.yaml @@ -0,0 +1,15 @@ +# The image configuration for the Extension Manager Operator +## @param image.name The image repository +## @param image.tag The image tag +image: + name: ghcr.io/openmfp/extension-content-operator + tag: 0.16.0 + +# The Custom Resource Definitions (CRDs) configuration +## @param crds.enabled Enable or disable the CRDs +crds: + enabled: true + +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} diff --git a/charts/openmfp-crds/Chart.yaml b/charts/openmfp-crds/Chart.yaml index 0955421f9..72ac8ff0f 100644 --- a/charts/openmfp-crds/Chart.yaml +++ b/charts/openmfp-crds/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: openmfp-crds description: A chart containing CRD Definitions for OpenMFP type: application -version: 0.0.1 +version: 0.0.2 appVersion: "0.0.0" dependencies: diff --git a/charts/openmfp-crds/README.md b/charts/openmfp-crds/README.md new file mode 100644 index 000000000..2e00052ba --- /dev/null +++ b/charts/openmfp-crds/README.md @@ -0,0 +1,19 @@ +# openmfp-crds + +![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) + +A chart containing CRD Definitions for OpenMFP + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://ghcr.io/openmfp/helm-charts | account-operator-crds | 0.1.5 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| account-operator-crds.enabled | bool | `true` | | +| extension-content-operator-crds.enabled | bool | `true` | | + diff --git a/charts/openmfp/Chart.yaml b/charts/openmfp/Chart.yaml index 6ab28b610..b30ba5e19 100644 --- a/charts/openmfp/Chart.yaml +++ b/charts/openmfp/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: openmfp description: The OpenMFP chart for Kubernetes type: application -version: 0.0.35 +version: 0.0.36 appVersion: "0.0.0" dependencies: diff --git a/charts/openmfp/README.md b/charts/openmfp/README.md new file mode 100644 index 000000000..a3b8ccc1c --- /dev/null +++ b/charts/openmfp/README.md @@ -0,0 +1,20 @@ +# openmfp + +![Version: 0.0.34](https://img.shields.io/badge/Version-0.0.34-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) + +The OpenMFP chart for Kubernetes + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://ghcr.io/openmfp/helm-charts | example-content | 0.110.7 | +| oci://ghcr.io/openmfp/helm-charts | portal | 0.69.141 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| components.example-content.enabled | bool | `false` | | +| components.portal.enabled | bool | `true` | | + diff --git a/charts/portal/Chart.lock b/charts/portal/Chart.lock index fa76da0ce..5479e0227 100644 --- a/charts/portal/Chart.lock +++ b/charts/portal/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: file://../common - version: 0.1.4 -digest: sha256:05e31c3eb487f942d4ac07ce0dfe4e0620779b589ef481cdd6534c73a7f0ca27 -generated: "2024-11-20T11:36:34.0773803+02:00" + version: 0.1.5 +digest: sha256:22600e7bfcab429b2e013cb3ff4ad21252274de627cccb908c95cc025ef150ce +generated: "2024-11-22T16:16:28.923712048+02:00" diff --git a/charts/portal/Chart.yaml b/charts/portal/Chart.yaml index 67eb260ea..ae9579a63 100644 --- a/charts/portal/Chart.yaml +++ b/charts/portal/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 appVersion: "0.220.0" description: Helm Chart for the openmfp Portal name: portal -version: 0.69.142 +version: 0.69.143 dependencies: - name: common repository: file://../common - version: 0.1.4 + version: 0.1.5 diff --git a/charts/portal/README.MD b/charts/portal/README.MD index 0de306dd9..d82e0d065 100644 --- a/charts/portal/README.MD +++ b/charts/portal/README.MD @@ -1,12 +1,23 @@ -# Helm chart of the jukebox +# portal -## Execute the linting in the pipeline +![Version: 0.69.127](https://img.shields.io/badge/Version-0.69.127-informational?style=flat-square) ![AppVersion: 0.204.0](https://img.shields.io/badge/AppVersion-0.204.0-informational?style=flat-square) -```shell -helm lint -f test-values.yaml -``` +Helm Chart for the openmfp Portal + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../common | common | 0.1.5 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| featureToggles | string | `"enableSessionAutoRefresh=true"` | | +| http.protocol | string | `"https"` | | +| image.name | string | `"ghcr.io/openmfp/portal"` | | +| image.pullPolicyOverride | string | `"IfNotPresent"` | | +| importContent | bool | `true` | | +| validWebcomponentUrls | string | `".?"` | | -## Debug the chart output -```shell -helm template --debug . -f test-values.yaml -``` diff --git a/charts/portal/README.md b/charts/portal/README.md new file mode 100644 index 000000000..588165737 --- /dev/null +++ b/charts/portal/README.md @@ -0,0 +1,23 @@ +# portal + +![Version: 0.69.142](https://img.shields.io/badge/Version-0.69.142-informational?style=flat-square) ![AppVersion: 0.220.0](https://img.shields.io/badge/AppVersion-0.220.0-informational?style=flat-square) + +Helm Chart for the openmfp Portal + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../common | common | 0.1.5 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| featureToggles | string | `"enableSessionAutoRefresh=true"` | | +| http.protocol | string | `"https"` | | +| image.name | string | `"ghcr.io/openmfp/portal"` | | +| image.pullPolicyOverride | string | `"IfNotPresent"` | | +| importContent | bool | `true` | | +| validWebcomponentUrls | string | `".?"` | | + diff --git a/charts/portal/charts/common-0.1.4.tgz b/charts/portal/charts/common-0.1.4.tgz deleted file mode 100644 index bb03e0aab..000000000 Binary files a/charts/portal/charts/common-0.1.4.tgz and /dev/null differ diff --git a/charts/portal/charts/common-0.1.5.tgz b/charts/portal/charts/common-0.1.5.tgz new file mode 100644 index 000000000..5bab432c0 Binary files /dev/null and b/charts/portal/charts/common-0.1.5.tgz differ diff --git a/charts/portal/templates/deploy.yaml b/charts/portal/templates/deploy.yaml index 6fa839a41..0cc430bed 100644 --- a/charts/portal/templates/deploy.yaml +++ b/charts/portal/templates/deploy.yaml @@ -2,15 +2,14 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} labels: app: {{ include "common.entity.name" . }} spec: strategy: rollingUpdate: - maxSurge: {{ .Values.deployment.maxSurge }} - maxUnavailable: {{ .Values.deployment.maxUnavailable }} - revisionHistoryLimit: 3 + maxSurge: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.maxSurge") }} + maxUnavailable: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.maxUnavailable") }} + revisionHistoryLimit: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.revisionHistoryLimit") }} selector: matchLabels: app: {{ include "common.entity.name" . }} @@ -20,16 +19,12 @@ spec: app: {{ include "common.entity.name" . }} spec: serviceAccountName: {{ include "common.entity.name" . }} - securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 + {{- include "common.spec.securityContext" (dict "Values" .Values) | nindent 6 }} containers: - name: {{ include "common.entity.name" . }} image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - readOnlyRootFilesystem: true + imagePullPolicy: {{ include "common.imagePullPolicy" . }} + {{ include "common.container.securityContext" . | nindent 8 }} env: - name: HTTP_PROTOCOL value: {{ .Values.http.protocol }} @@ -69,7 +64,7 @@ spec: value: "{{ .Values.featureToggles }}" {{- end }} - name: PORT - value: "{{ .Values.port }}" + value: "{{ include "common.getKeyValue" (dict "Values" .Values "key" "port") }}" - name: REGION value: {{ .Values.region }} - name: IMAGE_TAG @@ -92,13 +87,5 @@ spec: - name: VALID_WEBCOMPONENT_URLS value: '{{ .Values.validWebcomponentUrls }}' {{- end }} - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 40m - memory: 50Mi - ports: - - name: http - containerPort: {{ .Values.port }} \ No newline at end of file + {{ include "common.resources" . | nindent 8 }} + {{- include "common.ports" (dict "Values" .Values) | nindent 8 -}} \ No newline at end of file diff --git a/charts/portal/templates/external-secrets.yaml b/charts/portal/templates/external-secrets.yaml index 21248179d..25891e1cc 100644 --- a/charts/portal/templates/external-secrets.yaml +++ b/charts/portal/templates/external-secrets.yaml @@ -1,4 +1,4 @@ -{{- if .Values.externalSecrets.enabled -}} +{{- if eq (include "common.hasNestedKey" (dict "Values" .Values "key" "externalSecrets.enabled")) "true" }} {{- $namespace := .Release.Namespace}} {{- $secretKeys := list }} {{- range $key, $idp := .Values.trust }} diff --git a/charts/portal/templates/istio-destination-rule.yaml b/charts/portal/templates/istio-destination-rule.yaml index cbfa097fc..db577dadb 100644 --- a/charts/portal/templates/istio-destination-rule.yaml +++ b/charts/portal/templates/istio-destination-rule.yaml @@ -3,7 +3,6 @@ apiVersion: "networking.istio.io/v1alpha3" kind: "DestinationRule" metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} spec: host: {{ include "common.entity.name" . }}.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: diff --git a/charts/portal/templates/istio-peerauthentication.yaml b/charts/portal/templates/istio-peerauthentication.yaml index 57be5b47c..a3af91716 100644 --- a/charts/portal/templates/istio-peerauthentication.yaml +++ b/charts/portal/templates/istio-peerauthentication.yaml @@ -3,7 +3,6 @@ apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} spec: selector: matchLabels: diff --git a/charts/portal/templates/istio-virtual-service.yaml b/charts/portal/templates/istio-virtual-service.yaml index f9a7262f0..04e0048fc 100644 --- a/charts/portal/templates/istio-virtual-service.yaml +++ b/charts/portal/templates/istio-virtual-service.yaml @@ -3,7 +3,6 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} spec: gateways: - {{ .Release.Namespace }}/gateway diff --git a/charts/portal/templates/sa.yaml b/charts/portal/templates/sa.yaml index 2eaf7c467..490c917a9 100644 --- a/charts/portal/templates/sa.yaml +++ b/charts/portal/templates/sa.yaml @@ -2,5 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} {{- include "common.imagePullSecret" . }} diff --git a/charts/portal/templates/service.yaml b/charts/portal/templates/service.yaml index 94190ee6a..b8c370f1c 100644 --- a/charts/portal/templates/service.yaml +++ b/charts/portal/templates/service.yaml @@ -2,7 +2,6 @@ kind: Service apiVersion: v1 metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} spec: selector: app: {{ include "common.entity.name" . }} diff --git a/charts/portal/templates/sidecar.yaml b/charts/portal/templates/sidecar.yaml index 3d172bd63..acfdfb8d5 100644 --- a/charts/portal/templates/sidecar.yaml +++ b/charts/portal/templates/sidecar.yaml @@ -3,7 +3,6 @@ apiVersion: networking.istio.io/v1beta1 kind: Sidecar metadata: name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} spec: workloadSelector: labels: diff --git a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap index 176a2317e..e1de210e6 100644 --- a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap @@ -4,14 +4,13 @@ matches the snapshot: kind: Deployment metadata: labels: - app: RELEASE-NAME-portal - name: RELEASE-NAME-portal - namespace: NAMESPACE + app: portal + name: portal spec: revisionHistoryLimit: 3 selector: matchLabels: - app: RELEASE-NAME-portal + app: portal strategy: rollingUpdate: maxSurge: 5 @@ -19,10 +18,11 @@ matches the snapshot: template: metadata: labels: - app: RELEASE-NAME-portal + app: portal spec: containers: - - env: + - automountServiceAccountToken: true + env: - name: HTTP_PROTOCOL value: https - name: OIDC_CLIENT_ID_PORTAL @@ -51,22 +51,33 @@ matches the snapshot: - name: VALID_WEBCOMPONENT_URLS value: .? image: ghcr.io/openmfp/portal:1.0.0 - imagePullPolicy: IfNotPresent - name: RELEASE-NAME-portal + imagePullPolicy: Always + name: portal ports: - containerPort: 8080 name: http + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP resources: limits: - cpu: "1" + cpu: 100m memory: 512Mi requests: cpu: 40m memory: 50Mi securityContext: readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: portal securityContext: fsGroup: 2000 runAsGroup: 3000 runAsUser: 1000 - serviceAccountName: RELEASE-NAME-portal + serviceAccountName: portal diff --git a/charts/portal/tests/__snapshot__/external-secrets_test.yaml.snap b/charts/portal/tests/__snapshot__/external-secrets_test.yaml.snap index 9af794cf2..0967ef424 100644 --- a/charts/portal/tests/__snapshot__/external-secrets_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/external-secrets_test.yaml.snap @@ -1,22 +1 @@ -matches the snapshot: - 1: | - apiVersion: external-secrets.io/v1beta1 - kind: ExternalSecret - metadata: - name: RELEASE-NAME-portal-client-secret-portal - namespace: NAMESPACE - spec: - data: - - remoteRef: - conversionStrategy: Default - key: dxp-core-team/manual-secrets/portal-client-secrets - property: portal - secretKey: secret - refreshInterval: 10m - secretStoreRef: - kind: SecretStore - name: environment-store - target: - creationPolicy: Owner - deletionPolicy: Retain - name: portal-client-secret-portal +{} diff --git a/charts/portal/tests/__snapshot__/istio-virtual_service_test.yaml.snap b/charts/portal/tests/__snapshot__/istio-virtual_service_test.yaml.snap index 61a6bfb54..121dcd3f7 100644 --- a/charts/portal/tests/__snapshot__/istio-virtual_service_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/istio-virtual_service_test.yaml.snap @@ -3,8 +3,7 @@ virtual service match the snapshot: apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: RELEASE-NAME-portal - namespace: NAMESPACE + name: portal spec: gateways: - NAMESPACE/gateway @@ -26,6 +25,6 @@ virtual service match the snapshot: - DELETE route: - destination: - host: RELEASE-NAME-portal.NAMESPACE.svc.cluster.local + host: portal.NAMESPACE.svc.cluster.local port: number: 8080 diff --git a/charts/portal/tests/__snapshot__/istio_test.yaml.snap b/charts/portal/tests/__snapshot__/istio_test.yaml.snap index 749ad78d9..b65ba3c1c 100644 --- a/charts/portal/tests/__snapshot__/istio_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/istio_test.yaml.snap @@ -4,14 +4,13 @@ matches the snapshot: kind: Deployment metadata: labels: - app: RELEASE-NAME-portal - name: RELEASE-NAME-portal - namespace: NAMESPACE + app: portal + name: portal spec: revisionHistoryLimit: 3 selector: matchLabels: - app: RELEASE-NAME-portal + app: portal strategy: rollingUpdate: maxSurge: 5 @@ -19,10 +18,11 @@ matches the snapshot: template: metadata: labels: - app: RELEASE-NAME-portal + app: portal spec: containers: - - env: + - automountServiceAccountToken: true + env: - name: HTTP_PROTOCOL value: https - name: OIDC_CLIENT_ID_PORTAL @@ -51,47 +51,37 @@ matches the snapshot: - name: VALID_WEBCOMPONENT_URLS value: .? image: ghcr.io/openmfp/portal:1.0.0 - imagePullPolicy: IfNotPresent - name: RELEASE-NAME-portal + imagePullPolicy: Always + name: portal ports: - containerPort: 8080 name: http + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP resources: limits: - cpu: "1" + cpu: 100m memory: 512Mi requests: cpu: 40m memory: 50Mi securityContext: readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: portal securityContext: fsGroup: 2000 runAsGroup: 3000 runAsUser: 1000 - serviceAccountName: RELEASE-NAME-portal + serviceAccountName: portal 2: | - apiVersion: external-secrets.io/v1beta1 - kind: ExternalSecret - metadata: - name: RELEASE-NAME-portal-client-secret-portal - namespace: NAMESPACE - spec: - data: - - remoteRef: - conversionStrategy: Default - key: dxp-core-team/manual-secrets/portal-client-secrets - property: portal - secretKey: secret - refreshInterval: 10m - secretStoreRef: - kind: SecretStore - name: environment-store - target: - creationPolicy: Owner - deletionPolicy: Retain - name: portal-client-secret-portal - 3: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -105,7 +95,7 @@ matches the snapshot: - get - watch - list - 4: | + 3: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -116,29 +106,27 @@ matches the snapshot: name: contentconfigurations-reader subjects: - kind: ServiceAccount - name: RELEASE-NAME-portal + name: portal namespace: NAMESPACE - 5: | + 4: | apiVersion: v1 imagePullSecrets: - name: github kind: ServiceAccount metadata: - name: RELEASE-NAME-portal - namespace: NAMESPACE - 6: | + name: portal + 5: | apiVersion: v1 kind: Service metadata: - name: RELEASE-NAME-portal - namespace: NAMESPACE + name: portal spec: ports: - name: http port: 8080 protocol: TCP selector: - app: RELEASE-NAME-portal + app: portal type: ClusterIP matches the snapshot with istio disabled: 1: | @@ -146,14 +134,13 @@ matches the snapshot with istio disabled: kind: Deployment metadata: labels: - app: RELEASE-NAME-portal - name: RELEASE-NAME-portal - namespace: NAMESPACE + app: portal + name: portal spec: revisionHistoryLimit: 3 selector: matchLabels: - app: RELEASE-NAME-portal + app: portal strategy: rollingUpdate: maxSurge: 5 @@ -161,10 +148,11 @@ matches the snapshot with istio disabled: template: metadata: labels: - app: RELEASE-NAME-portal + app: portal spec: containers: - - env: + - automountServiceAccountToken: true + env: - name: HTTP_PROTOCOL value: https - name: OIDC_CLIENT_ID_PORTAL @@ -193,47 +181,37 @@ matches the snapshot with istio disabled: - name: VALID_WEBCOMPONENT_URLS value: .? image: ghcr.io/openmfp/portal:1.0.0 - imagePullPolicy: IfNotPresent - name: RELEASE-NAME-portal + imagePullPolicy: Always + name: portal ports: - containerPort: 8080 name: http + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health-port + protocol: TCP resources: limits: - cpu: "1" + cpu: 100m memory: 512Mi requests: cpu: 40m memory: 50Mi securityContext: readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: portal securityContext: fsGroup: 2000 runAsGroup: 3000 runAsUser: 1000 - serviceAccountName: RELEASE-NAME-portal + serviceAccountName: portal 2: | - apiVersion: external-secrets.io/v1beta1 - kind: ExternalSecret - metadata: - name: RELEASE-NAME-portal-client-secret-portal - namespace: NAMESPACE - spec: - data: - - remoteRef: - conversionStrategy: Default - key: dxp-core-team/manual-secrets/portal-client-secrets - property: portal - secretKey: secret - refreshInterval: 10m - secretStoreRef: - kind: SecretStore - name: environment-store - target: - creationPolicy: Owner - deletionPolicy: Retain - name: portal-client-secret-portal - 3: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -247,7 +225,7 @@ matches the snapshot with istio disabled: - get - watch - list - 4: | + 3: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -258,27 +236,25 @@ matches the snapshot with istio disabled: name: contentconfigurations-reader subjects: - kind: ServiceAccount - name: RELEASE-NAME-portal + name: portal namespace: NAMESPACE - 5: | + 4: | apiVersion: v1 imagePullSecrets: - name: github kind: ServiceAccount metadata: - name: RELEASE-NAME-portal - namespace: NAMESPACE - 6: | + name: portal + 5: | apiVersion: v1 kind: Service metadata: - name: RELEASE-NAME-portal - namespace: NAMESPACE + name: portal spec: ports: - name: http port: 8080 protocol: TCP selector: - app: RELEASE-NAME-portal + app: portal type: ClusterIP diff --git a/charts/portal/tests/deploy_test.yaml b/charts/portal/tests/deploy_test.yaml index 2472af1b5..c43b71bdf 100644 --- a/charts/portal/tests/deploy_test.yaml +++ b/charts/portal/tests/deploy_test.yaml @@ -4,6 +4,8 @@ templates: chart: version: 1.0.0 appVersion: 1.0.0 +release: + name: portal tests: - it: matches the snapshot values: diff --git a/charts/portal/tests/istio-virtual_service_test.yaml b/charts/portal/tests/istio-virtual_service_test.yaml index 2d302f27a..671febe33 100644 --- a/charts/portal/tests/istio-virtual_service_test.yaml +++ b/charts/portal/tests/istio-virtual_service_test.yaml @@ -3,6 +3,8 @@ templates: - istio-virtual-service.yaml values: - ../test-values.yaml +release: + name: portal tests: - it: virtual service match the snapshot set: diff --git a/charts/portal/tests/istio_test.yaml b/charts/portal/tests/istio_test.yaml index fe1897498..b061c3de5 100644 --- a/charts/portal/tests/istio_test.yaml +++ b/charts/portal/tests/istio_test.yaml @@ -2,6 +2,8 @@ suite: deploy chart: version: 1.0.0 appVersion: 1.0.0 +release: + name: portal tests: - it: matches the snapshot set: diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml index b2db85e0a..8379613e6 100644 --- a/charts/portal/values.yaml +++ b/charts/portal/values.yaml @@ -1,20 +1,6 @@ image: name: ghcr.io/openmfp/portal - pullPolicy: IfNotPresent - -imagePullSecret: github - -deployment: - maxUnavailable: 0 - maxSurge: 5 - -port: 8080 - -istio: - enabled: true - -externalSecrets: - enabled: true + pullPolicyOverride: IfNotPresent http: protocol: https