From 81527ae2f69c0fd263950a9f011c8c8c8237f288 Mon Sep 17 00:00:00 2001 From: Omer Aplatony Date: Tue, 30 Jul 2024 17:25:27 +0300 Subject: [PATCH] Fixed file Signed-off-by: Omer Aplatony --- .../cluster-api-operator/templates/addon.yaml | 2 +- .../templates/bootstrap.yaml | 2 +- .../templates/control-plane.yaml | 2 +- .../templates/core-conditions.yaml | 2 +- .../cluster-api-operator/templates/core.yaml | 2 +- .../templates/infra-conditions.yaml | 2 +- .../cluster-api-operator/templates/infra.yaml | 2 +- test/e2e/helm_test.go | 35 +- .../resources/deployment-overrides-all.yaml | 1561 ----------------- .../only-infra-and-addon-override.yaml | 123 ++ 10 files changed, 141 insertions(+), 1592 deletions(-) delete mode 100644 test/e2e/resources/deployment-overrides-all.yaml create mode 100644 test/e2e/resources/only-infra-and-addon-override.yaml diff --git a/hack/charts/cluster-api-operator/templates/addon.yaml b/hack/charts/cluster-api-operator/templates/addon.yaml index ec9b0815f..84cd8052a 100644 --- a/hack/charts/cluster-api-operator/templates/addon.yaml +++ b/hack/charts/cluster-api-operator/templates/addon.yaml @@ -53,7 +53,7 @@ spec: secretNamespace: {{ $.Values.secretNamespace }} {{- end }} {{- end }} -{{- if hasKey $.Values.deploymentOverride "addon" }} +{{- if hasKey (default (dict) $.Values.deploymentOverride) "addon" }} {{ .Values.deploymentOverride.addon | toYaml | nindent 2 }} {{- end }} {{- end }} diff --git a/hack/charts/cluster-api-operator/templates/bootstrap.yaml b/hack/charts/cluster-api-operator/templates/bootstrap.yaml index ddc675a6e..b13a0f0a9 100644 --- a/hack/charts/cluster-api-operator/templates/bootstrap.yaml +++ b/hack/charts/cluster-api-operator/templates/bootstrap.yaml @@ -52,7 +52,7 @@ spec: {{- end }} {{- end }} {{- end }} -{{- if hasKey $.Values.deploymentOverride "bootstrap" }} +{{- if hasKey (default (dict) $.Values.deploymentOverride) "bootstrap" }} {{ .Values.deploymentOverride.bootstrap | toYaml | nindent 2 }} {{- end }} {{- end }} \ No newline at end of file diff --git a/hack/charts/cluster-api-operator/templates/control-plane.yaml b/hack/charts/cluster-api-operator/templates/control-plane.yaml index 010b2f4be..2aac012f2 100644 --- a/hack/charts/cluster-api-operator/templates/control-plane.yaml +++ b/hack/charts/cluster-api-operator/templates/control-plane.yaml @@ -52,7 +52,7 @@ spec: {{- end }} {{- end }} {{- end }} -{{- if hasKey $.Values.deploymentOverride "controlPlane" }} +{{- if hasKey (default (dict) $.Values.deploymentOverride) "controlPlane" }} {{ .Values.deploymentOverride.controlPlane | toYaml | nindent 2 }} {{- end }} {{- end }} diff --git a/hack/charts/cluster-api-operator/templates/core-conditions.yaml b/hack/charts/cluster-api-operator/templates/core-conditions.yaml index 2f48a826d..8fa3f81fd 100644 --- a/hack/charts/cluster-api-operator/templates/core-conditions.yaml +++ b/hack/charts/cluster-api-operator/templates/core-conditions.yaml @@ -27,7 +27,7 @@ spec: {{- end }} {{- end }} {{- end }} -{{- if hasKey $.Values.deploymentOverride "coreCondition" }} +{{- if hasKey (default (dict) $.Values.deploymentOverride ) "coreCondition" }} {{ .Values.deploymentOverride.coreCondition| toYaml | nindent 2 }} {{- end }} {{- end }} \ No newline at end of file diff --git a/hack/charts/cluster-api-operator/templates/core.yaml b/hack/charts/cluster-api-operator/templates/core.yaml index 5476b6e5e..2ad512e35 100644 --- a/hack/charts/cluster-api-operator/templates/core.yaml +++ b/hack/charts/cluster-api-operator/templates/core.yaml @@ -60,7 +60,7 @@ spec: namespace: {{ $.Values.configSecret.namespace }} {{- end }} {{- end }} -{{- if hasKey $.Values.deploymentOverride "core" }} +{{- if hasKey (default (dict) $.Values.deploymentOverride) "core" }} {{ .Values.deploymentOverride.core | toYaml | nindent 2 }} {{- end }} {{- end }} diff --git a/hack/charts/cluster-api-operator/templates/infra-conditions.yaml b/hack/charts/cluster-api-operator/templates/infra-conditions.yaml index c7fa15b9a..d9ee9434d 100644 --- a/hack/charts/cluster-api-operator/templates/infra-conditions.yaml +++ b/hack/charts/cluster-api-operator/templates/infra-conditions.yaml @@ -60,7 +60,7 @@ spec: {{- end }} {{- end }} {{- end }} -{{- if hasKey $.Values.deploymentOverride "infraCondition" }} +{{- if hasKey (default (dict) $.Values.deploymentOverride ) "infraCondition" }} {{ .Values.deploymentOverride.infraCondition | toYaml | nindent 2 }} {{- end }} {{- end }} diff --git a/hack/charts/cluster-api-operator/templates/infra.yaml b/hack/charts/cluster-api-operator/templates/infra.yaml index 12766904b..c77e72548 100644 --- a/hack/charts/cluster-api-operator/templates/infra.yaml +++ b/hack/charts/cluster-api-operator/templates/infra.yaml @@ -81,7 +81,7 @@ spec: {{- include "recursivePrinter" $.Values.additionalDeployments | indent 2 }} {{- end }} {{- end }} -{{- if hasKey $.Values.deploymentOverride "infrastructure" }} +{{- if hasKey (default (dict) $.Values.deploymentOverride ) "infrastructure" }} {{ .Values.deploymentOverride.infrastructure | toYaml | nindent 2 }} {{- end }} {{- end }} diff --git a/test/e2e/helm_test.go b/test/e2e/helm_test.go index f992782eb..f70d58382 100644 --- a/test/e2e/helm_test.go +++ b/test/e2e/helm_test.go @@ -262,32 +262,19 @@ var _ = Describe("Create a proper set of manifests when using helm charts", func Expect(manifests).To(MatchYAML(string(expectedManifests))) }) - It("should include deplpoymentoverrides when specified - all", func() { - manifest, err := helmChart.Run(map[string]string{ - "core": "override-test-core", - "bootstrap": "override-test-core", - "controlPlane": "override-test-core", - "infrastructure": "override-test-core", - "addon": "override-test-core", - "deploymentOverride.addon.containers[0].name": "manager", - "deploymentOverride.addon.containers[0].imageUrl": "test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0", - "deploymentOverride.core.containers[0].name": "manager", - "deploymentOverride.core.containers[0].imageUrl": "test.org/cluster-api/cluster-api-controller:v1.7.1", + It("should include deplpoymentoverrides when specified", func() { + manifests, err := helmChart.Run(map[string]string{ + "configSecret.name": "test-secret-name", + "configSecret.namespace": "test-secret-namespace", + "infrastructure": "docker", + "addon": "helm", "deploymentOverride.infrastructure.deployment.containers[0].name": "manager", "deploymentOverride.infrastructure.deployment.containers[0].imageUrl": "test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0", - "deploymentOverride.bootstrap.deployment.containers[0].name": "manager", - "deploymentOverride.bootstrap.deployment.containers[0].imageUrl": "test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0", - "deploymentOverride.controlPlane.deployment.containers[0].name": "manager", - "deploymentOverride.controlPlane.deployment.containers[0].imageUrl": "test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0", - "deploymentOverride.coreConditions.containers[0].name": "manager", - "deploymentOverride.coreConditions.containers[0].imageUrl": "test.org/cluster-api/cluster-api-controller:v1.7.1", - "deploymentOverride.infraConditions.containers[0].name": "manager", - "deploymentOverride.infraConditions.containers[0].imageUrl": "test.org/cluster-api/cluster-api-controller:v1.7.1", }) - Except(err).ToNot(HaveOccurred()) - Except(manifest).ToNot(BeEmpty()) - expectedManifests, err := os.ReadFile(filepath.Join(customManifestsFolder, "deployment-overrides-all.yaml")) - Except(err).ToNot(HaveOccurred()) - Except(manifest).To(Equal(string(expectedManifests))) + Expect(err).ToNot(HaveOccurred()) + Expect(manifests).ToNot(BeEmpty()) + expectedManifests, err := os.ReadFile(filepath.Join(customManifestsFolder, "only-infra-and-addon-override.yaml")) + Expect(err).ToNot(HaveOccurred()) + Expect(manifests).To(MatchYAML(string(expectedManifests))) }) }) diff --git a/test/e2e/resources/deployment-overrides-all.yaml b/test/e2e/resources/deployment-overrides-all.yaml deleted file mode 100644 index 381e15990..000000000 --- a/test/e2e/resources/deployment-overrides-all.yaml +++ /dev/null @@ -1,1561 +0,0 @@ ---- -# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: release-name-cert-manager-cainjector - namespace: default - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 ---- -# Source: cluster-api-operator/charts/cert-manager/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: release-name-cert-manager - namespace: default - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: release-name-cert-manager-webhook - namespace: default - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 ---- -# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "create", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch", "update", "patch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# Issuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "issuers/status"] - verbs: ["update", "patch"] - - apiGroups: ["cert-manager.io"] - resources: ["issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# ClusterIssuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "clusterissuers/status"] - verbs: ["update", "patch"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# Certificates controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] - verbs: ["update", "patch"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["cert-manager.io"] - resources: ["certificates/finalizers", "certificaterequests/finalizers"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# Orders controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "orders/status"] - verbs: ["update", "patch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "challenges"] - verbs: ["get", "list", "watch"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["create", "delete"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# Challenges controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - # Use to update challenge resource status - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "challenges/status"] - verbs: ["update", "patch"] - # Used to watch challenge resources - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["get", "list", "watch"] - # Used to watch challenges, issuer and clusterissuer resources - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - # Need to be able to retrieve ACME account private key to complete challenges - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - # Used to create events - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - # HTTP01 rules - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch", "create", "delete", "update"] - - apiGroups: [ "gateway.networking.k8s.io" ] - resources: [ "httproutes" ] - verbs: ["get", "list", "watch", "create", "delete", "update"] - # We require the ability to specify a custom hostname when we are creating - # new ingress resources. - # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 - - apiGroups: ["route.openshift.io"] - resources: ["routes/custom-host"] - verbs: ["create"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges/finalizers"] - verbs: ["update"] - # DNS01 rules (duplicated above) - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# ingress-shim controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests"] - verbs: ["create", "update", "delete"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/finalizers"] - verbs: ["update"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gateways", "httproutes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gateways/finalizers", "httproutes/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-cluster-view - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers"] - verbs: ["get", "list", "watch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-view - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["get", "list", "watch"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-edit - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates/status"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-approve:cert-manager-io - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["signers"] - verbs: ["approve"] - resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# Permission to: -# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers -# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-controller-certificatesigningrequests - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests/status"] - verbs: ["update", "patch"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] - verbs: ["sign"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: release-name-cert-manager-webhook:subjectaccessreviews - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-cainjector -subjects: - - name: release-name-cert-manager-cainjector - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-issuers -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-clusterissuers -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-certificates -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-orders -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-challenges -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-ingress-shim -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-approve:cert-manager-io - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-approve:cert-manager-io -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-controller-certificatesigningrequests - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-controller-certificatesigningrequests -subjects: - - name: release-name-cert-manager - namespace: default - kind: ServiceAccount ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: release-name-cert-manager-webhook:subjectaccessreviews - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: release-name-cert-manager-webhook:subjectaccessreviews -subjects: -- apiGroup: "" - kind: ServiceAccount - name: release-name-cert-manager-webhook - namespace: default ---- -# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml -# leader election rules -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: release-name-cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - # Used for leader election by the controller - # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller - # see cmd/cainjector/start.go#L113 - # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller - # see cmd/cainjector/start.go#L137 - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] - verbs: ["get", "update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: release-name-cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - resourceNames: ["cert-manager-controller"] - verbs: ["get", "update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: release-name-cert-manager-webhook:dynamic-serving - namespace: default - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -rules: -- apiGroups: [""] - resources: ["secrets"] - resourceNames: - - 'release-name-cert-manager-webhook-ca' - verbs: ["get", "list", "watch", "update"] -# It's not possible to grant CREATE permission on a single resourceName. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: release-name-cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: release-name-cert-manager-cainjector:leaderelection -subjects: - - kind: ServiceAccount - name: release-name-cert-manager-cainjector - namespace: default ---- -# Source: cluster-api-operator/charts/cert-manager/templates/rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: release-name-cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: release-name-cert-manager:leaderelection -subjects: - - apiGroup: "" - kind: ServiceAccount - name: release-name-cert-manager - namespace: default ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: release-name-cert-manager-webhook:dynamic-serving - namespace: default - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: release-name-cert-manager-webhook:dynamic-serving -subjects: -- apiGroup: "" - kind: ServiceAccount - name: release-name-cert-manager-webhook - namespace: default ---- -# Source: cluster-api-operator/charts/cert-manager/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: release-name-cert-manager - namespace: default - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -spec: - type: ClusterIP - ports: - - protocol: TCP - port: 9402 - name: tcp-prometheus-servicemonitor - targetPort: 9402 - selector: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: release-name-cert-manager-webhook - namespace: default - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -spec: - type: ClusterIP - ports: - - name: https - port: 443 - protocol: TCP - targetPort: "https" - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" ---- -# Source: cluster-api-operator/charts/cert-manager/templates/cainjector-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: release-name-cert-manager-cainjector - namespace: default - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - template: - metadata: - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - spec: - serviceAccountName: release-name-cert-manager-cainjector - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-cainjector - image: "quay.io/jetstack/cert-manager-cainjector:v1.14.5" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --leader-election-namespace=kube-system - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - nodeSelector: - kubernetes.io/os: linux ---- -# Source: cluster-api-operator/charts/cert-manager/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: release-name-cert-manager - namespace: default - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - template: - metadata: - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - annotations: - prometheus.io/path: "/metrics" - prometheus.io/scrape: 'true' - prometheus.io/port: '9402' - spec: - serviceAccountName: release-name-cert-manager - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-controller - image: "quay.io/jetstack/cert-manager-controller:v1.14.5" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=kube-system - - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.5 - - --max-concurrent-challenges=60 - ports: - - containerPort: 9402 - name: http-metrics - protocol: TCP - - containerPort: 9403 - name: http-healthz - protocol: TCP - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # LivenessProbe settings are based on those used for the Kubernetes - # controller-manager. See: - # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 - livenessProbe: - httpGet: - port: http-healthz - path: /livez - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 8 - nodeSelector: - kubernetes.io/os: linux ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: release-name-cert-manager-webhook - namespace: default - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - template: - metadata: - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - spec: - serviceAccountName: release-name-cert-manager-webhook - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-webhook - image: "quay.io/jetstack/cert-manager-webhook:v1.14.5" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --secure-port=10250 - - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - - --dynamic-serving-ca-secret-name=release-name-cert-manager-webhook-ca - - --dynamic-serving-dns-names=release-name-cert-manager-webhook - - --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE) - - --dynamic-serving-dns-names=release-name-cert-manager-webhook.$(POD_NAMESPACE).svc - - ports: - - name: https - protocol: TCP - containerPort: 10250 - - name: healthcheck - protocol: TCP - containerPort: 6080 - livenessProbe: - httpGet: - path: /livez - port: 6080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 6080 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - nodeSelector: - kubernetes.io/os: linux ---- -# Source: cluster-api-operator/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: release-name-cluster-api-operator - namespace: 'default' - labels: - app: cluster-api-operator - app.kubernetes.io/name: cluster-api-operator - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - control-plane: controller-manager - clusterctl.cluster.x-k8s.io/core: capi-operator -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: cluster-api-operator - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - control-plane: controller-manager - clusterctl.cluster.x-k8s.io/core: capi-operator - template: - metadata: - labels: - app: cluster-api-operator - app.kubernetes.io/name: cluster-api-operator - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "controller" - control-plane: controller-manager - clusterctl.cluster.x-k8s.io/core: capi-operator - spec: - containers: - - args: - - --v=2 - - --health-addr=:8081 - - --metrics-bind-addr=127.0.0.1:8080 - - --diagnostics-address=8443 - - --leader-elect=true - command: - - /manager - image: "gcr.io/k8s-staging-capi-operator/cluster-api-operator:dev" - imagePullPolicy: IfNotPresent - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 8080 - name: metrics - protocol: TCP - resources: - limits: - cpu: 100m - memory: 150Mi - requests: - cpu: 100m - memory: 100Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: capi-operator-webhook-service-cert - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - key: kubernetes.io/os - operator: In - values: - - linux - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane ---- -# Source: cluster-api-operator/templates/addon.yaml -# Addon provider ---- -# Source: cluster-api-operator/templates/bootstrap.yaml -# Bootstrap provider ---- -# Source: cluster-api-operator/templates/control-plane.yaml -# Control plane provider ---- -# Source: cluster-api-operator/templates/core-conditions.yaml -# Deploy core components if not specified ---- -# Source: cluster-api-operator/templates/core.yaml -# Core provider ---- -# Source: cluster-api-operator/templates/infra-conditions.yaml -# Deploy bootstrap, and infrastructure components if not specified ---- -# Source: cluster-api-operator/templates/infra.yaml -# Infrastructure providers ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-mutating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: release-name-cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - annotations: - cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - rules: - - apiGroups: - - "cert-manager.io" - apiVersions: - - "v1" - operations: - - CREATE - resources: - - "certificaterequests" - admissionReviewVersions: ["v1"] - # This webhook only accepts v1 cert-manager resources. - # Equivalent matchPolicy ensures that non-v1 resource requests are sent to - # this webhook (after the resources have been converted to v1). - matchPolicy: Equivalent - timeoutSeconds: 30 - failurePolicy: Fail - # Only include 'sideEffects' field in Kubernetes 1.12+ - sideEffects: None - clientConfig: - service: - name: release-name-cert-manager-webhook - namespace: default - path: /mutate ---- -# Source: cluster-api-operator/charts/cert-manager/templates/webhook-validating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: release-name-cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - annotations: - cert-manager.io/inject-ca-from-secret: "default/release-name-cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - namespaceSelector: - matchExpressions: - - key: cert-manager.io/disable-validation - operator: NotIn - values: - - "true" - rules: - - apiGroups: - - "cert-manager.io" - - "acme.cert-manager.io" - apiVersions: - - "v1" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - admissionReviewVersions: ["v1"] - # This webhook only accepts v1 cert-manager resources. - # Equivalent matchPolicy ensures that non-v1 resource requests are sent to - # this webhook (after the resources have been converted to v1). - matchPolicy: Equivalent - timeoutSeconds: 30 - failurePolicy: Fail - sideEffects: None - clientConfig: - service: - name: release-name-cert-manager-webhook - namespace: default - path: /validate ---- -# Source: cluster-api-operator/templates/addon.yaml -apiVersion: v1 -kind: Namespace -metadata: - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "1" - name: override-test-core-addon-system ---- -# Source: cluster-api-operator/templates/bootstrap.yaml -apiVersion: v1 -kind: Namespace -metadata: - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "1" - name: override-test-core-bootstrap-system ---- -# Source: cluster-api-operator/templates/control-plane.yaml -apiVersion: v1 -kind: Namespace -metadata: - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "1" - name: override-test-core-control-plane-system ---- -# Source: cluster-api-operator/templates/core.yaml -apiVersion: v1 -kind: Namespace -metadata: - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "1" - name: capi-system ---- -# Source: cluster-api-operator/templates/infra.yaml -apiVersion: v1 -kind: Namespace -metadata: - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "1" - name: override-test-core-infrastructure-system ---- -# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: release-name-cert-manager-startupapicheck - namespace: default - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "-5" - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 ---- -# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml -# create certificate role -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: release-name-cert-manager-startupapicheck:create-cert - namespace: default - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "-5" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates"] - verbs: ["create"] ---- -# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: release-name-cert-manager-startupapicheck:create-cert - namespace: default - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "-5" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: release-name-cert-manager-startupapicheck:create-cert -subjects: - - kind: ServiceAccount - name: release-name-cert-manager-startupapicheck - namespace: default ---- -# Source: cluster-api-operator/charts/cert-manager/templates/startupapicheck-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: release-name-cert-manager-startupapicheck - namespace: default - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - annotations: - helm.sh/hook: post-install - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "1" -spec: - backoffLimit: 4 - template: - metadata: - labels: - app: startupapicheck - app.kubernetes.io/name: startupapicheck - app.kubernetes.io/instance: release-name - app.kubernetes.io/component: "startupapicheck" - app.kubernetes.io/version: "v1.14.5" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.14.5 - spec: - restartPolicy: OnFailure - serviceAccountName: release-name-cert-manager-startupapicheck - enableServiceLinks: false - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - containers: - - name: cert-manager-startupapicheck - image: "quay.io/jetstack/cert-manager-startupapicheck:v1.14.5" - imagePullPolicy: IfNotPresent - args: - - check - - api - - --wait=1m - - -v - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - nodeSelector: - kubernetes.io/os: linux ---- -# Source: cluster-api-operator/templates/addon.yaml -apiVersion: operator.cluster.x-k8s.io/v1alpha2 -kind: AddonProvider -metadata: - name: override-test-core - namespace: override-test-core-addon-system - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "2" - - containers: - - imageUrl: test.org/cluster-api-provider-aws/cluster-api-provider-aws-controller:v0.6.0 - name: manager ---- -# Source: cluster-api-operator/templates/bootstrap.yaml -apiVersion: operator.cluster.x-k8s.io/v1alpha2 -kind: BootstrapProvider -metadata: - name: override-test-core - namespace: override-test-core-bootstrap-system - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "2" - - deployment: - containers: - - imageUrl: test.org/cluster-api-bootstrap-provider-kubeadm/cluster-api-kubeadm-controller:v0.4.0 - name: manager ---- -# Source: cluster-api-operator/templates/control-plane.yaml -apiVersion: operator.cluster.x-k8s.io/v1alpha2 -kind: ControlPlaneProvider -metadata: - name: override-test-core - namespace: override-test-core-control-plane-system - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "2" - - deployment: - containers: - - imageUrl: test.org/cluster-api-control-plane/cluster-api-control-plane-controller:v0.4.0 - name: manager ---- -# Source: cluster-api-operator/templates/core.yaml -apiVersion: operator.cluster.x-k8s.io/v1alpha2 -kind: CoreProvider -metadata: - name: override-test-core - namespace: capi-system - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "2" - - containers: - - imageUrl: test.org/cluster-api/cluster-api-controller:v1.7.1 - name: manager ---- -# Source: cluster-api-operator/templates/infra.yaml -apiVersion: operator.cluster.x-k8s.io/v1alpha2 -kind: InfrastructureProvider -metadata: - name: override-test-core - namespace: override-test-core-infrastructure-system - annotations: - "helm.sh/hook": "post-install" - "helm.sh/hook-weight": "2" - - deployment: - containers: - - imageUrl: test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0 - name: manager diff --git a/test/e2e/resources/only-infra-and-addon-override.yaml b/test/e2e/resources/only-infra-and-addon-override.yaml new file mode 100644 index 000000000..92b23fa65 --- /dev/null +++ b/test/e2e/resources/only-infra-and-addon-override.yaml @@ -0,0 +1,123 @@ +--- +# Source: cluster-api-operator/templates/addon.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" + name: helm-addon-system +--- +# Source: cluster-api-operator/templates/core-conditions.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + name: capi-system +--- +# Source: cluster-api-operator/templates/infra-conditions.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" + name: capi-kubeadm-bootstrap-system +--- +# Source: cluster-api-operator/templates/infra-conditions.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" + name: capi-kubeadm-control-plane-system +--- +# Source: cluster-api-operator/templates/infra.yaml +apiVersion: v1 +kind: Namespace +metadata: + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" + name: docker-infrastructure-system +--- +# Source: cluster-api-operator/templates/addon.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: AddonProvider +metadata: + name: helm + namespace: helm-addon-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" +--- +# Source: cluster-api-operator/templates/infra-conditions.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: BootstrapProvider +metadata: + name: kubeadm + namespace: capi-kubeadm-bootstrap-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" +spec: + configSecret: + name: test-secret-name + namespace: test-secret-namespace +--- +# Source: cluster-api-operator/templates/infra-conditions.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: ControlPlaneProvider +metadata: + name: kubeadm + namespace: capi-kubeadm-control-plane-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" +spec: + configSecret: + name: test-secret-name + namespace: test-secret-namespace +--- +# Source: cluster-api-operator/templates/core-conditions.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: CoreProvider +metadata: + name: cluster-api + namespace: capi-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" +spec: + configSecret: + name: test-secret-name + namespace: test-secret-namespace +--- +# Source: cluster-api-operator/templates/infra.yaml +apiVersion: operator.cluster.x-k8s.io/v1alpha2 +kind: InfrastructureProvider +metadata: + name: docker + namespace: docker-infrastructure-system + annotations: + "helm.sh/hook": "post-install" + "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" +spec: + configSecret: + name: test-secret-name + namespace: test-secret-namespace + deployment: + containers: + - imageUrl: test.org/cluster-api-vsphere/cluster-api-vsphere-controller:v1.10.0 + name: manager \ No newline at end of file