From e0c14c074c08807d8dc0740c73952c78b9ecaa43 Mon Sep 17 00:00:00 2001 From: Nicolas Bigler Date: Fri, 11 Apr 2025 16:46:03 +0200 Subject: [PATCH] Refactor component-vcluster to use helm chart This will refactor the component completely to use the latest official helm chart. Due to this change, there are a few breaking changes that will have to be handled carefully. Check the docs for more information Signed-off-by: Nicolas Bigler --- class/defaults.yml | 115 ++- class/vcluster.yml | 15 + component/app.jsonnet | 2 +- component/cluster.libsonnet | 469 ----------- component/coredns.libsonnet | 239 ------ component/main.jsonnet | 48 +- component/ocp-route.libsonnet | 51 +- component/scripts/apply.sh | 18 - component/scripts/create-route.sh | 27 - component/scripts/patch-route.sh | 50 ++ docs/modules/ROOT/pages/how-tos/oidc.adoc | 2 +- .../pages/how-tos/upgrade-1.x-to-2.x.adoc | 132 ++++ .../ROOT/pages/references/parameters.adoc | 139 ++-- .../tutorials/installation-openshift.adoc | 42 +- docs/modules/ROOT/partials/nav.adoc | 1 + .../vcluster/templates/config-secret.yaml | 13 + .../vcluster/templates/coredns-configmap.yaml | 68 ++ .../vcluster/templates/headless-service.yaml | 21 + .../vcluster/templates/ingress.yaml | 31 + .../vcluster/templates/role.yaml | 85 ++ .../vcluster/templates/rolebinding.yaml | 18 + .../vcluster/templates/service.yaml | 27 + .../vcluster/templates/serviceaccount.yaml | 10 + .../vcluster/templates/statefulset.yaml | 148 ++++ .../templates/workload-serviceaccount.yaml | 10 + .../defaults/defaults/10_cluster.yaml | 519 ------------- .../vcluster/templates/config-secret.yaml | 13 + .../vcluster/templates/coredns-configmap.yaml | 68 ++ .../vcluster/templates/ingress.yaml | 31 + .../vcluster/templates/role.yaml | 85 ++ .../vcluster/templates/rolebinding.yaml | 18 + .../vcluster/templates/service.yaml | 27 + .../vcluster/templates/serviceaccount.yaml | 10 + .../vcluster/templates/statefulset.yaml | 142 ++++ .../templates/workload-serviceaccount.yaml | 10 + tests/golden/oidc/oidc/oidc/10_cluster.yaml | 630 --------------- .../golden/oidc/oidc/oidc/11_synthesize.yaml | 77 ++ .../vcluster/templates/config-secret.yaml | 13 + .../vcluster/templates/coredns-configmap.yaml | 68 ++ .../vcluster/templates/headless-service.yaml | 21 + .../vcluster/templates/ingress.yaml | 31 + .../vcluster/templates/role.yaml | 85 ++ .../vcluster/templates/rolebinding.yaml | 18 + .../vcluster/templates/service.yaml | 27 + .../vcluster/templates/serviceaccount.yaml | 10 + .../vcluster/templates/statefulset.yaml | 148 ++++ .../templates/workload-serviceaccount.yaml | 10 + .../openshift/openshift/10_cluster.yaml | 729 ------------------ .../openshift/openshift/20_scc_role.yaml | 17 + .../openshift/20_scc_role_binding.yaml | 18 + tests/oidc.yml | 4 +- 51 files changed, 1786 insertions(+), 2824 deletions(-) delete mode 100644 component/cluster.libsonnet delete mode 100644 component/coredns.libsonnet delete mode 100755 component/scripts/apply.sh delete mode 100755 component/scripts/create-route.sh create mode 100755 component/scripts/patch-route.sh create mode 100644 docs/modules/ROOT/pages/how-tos/upgrade-1.x-to-2.x.adoc create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/config-secret.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/headless-service.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/ingress.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/role.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/service.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/statefulset.yaml create mode 100644 tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml delete mode 100644 tests/golden/defaults/defaults/defaults/10_cluster.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/config-secret.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/ingress.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/role.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/service.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/statefulset.yaml create mode 100644 tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml delete mode 100644 tests/golden/oidc/oidc/oidc/10_cluster.yaml create mode 100644 tests/golden/oidc/oidc/oidc/11_synthesize.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/config-secret.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/headless-service.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/ingress.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/role.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/service.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/statefulset.yaml create mode 100644 tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml delete mode 100644 tests/golden/openshift/openshift/openshift/10_cluster.yaml create mode 100644 tests/golden/openshift/openshift/openshift/20_scc_role.yaml create mode 100644 tests/golden/openshift/openshift/openshift/20_scc_role_binding.yaml diff --git a/class/defaults.yml b/class/defaults.yml index fe92993..d97f441 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -6,56 +6,115 @@ parameters: namespace: syn-${_instance} namespaceMetadata: {} - host_service_cidr: null + charts: + vcluster: + source: https://charts.loft.sh + version: 0.24.1 images: k3s: registry: docker.io image: rancher/k3s - tag: v1.25.15-k3s1 + tag: v1.32.1-k3s1 syncer: - registry: docker.io - image: loftsh/vcluster - tag: "0.14.1" + registry: ghcr.io + image: loft-sh/vcluster-oss + tag: "0.24.1" kubectl: registry: docker.io image: bitnami/kubectl - tag: "1.28.15" + tag: "1.32.1" storage: - persistence: true + persistence: auto size: 5Gi class_name: null - resources: - k3s: - requests: - cpu: 200m - memory: 256Mi - limits: - memory: 2Gi - syncer: - requests: - cpu: 100m - memory: 128Mi - limits: - memory: 1Gi + k3s: + additional_args: [] ingress: + enabled: true host: null - labels: {} annotations: cert-manager.io/cluster-issuer: letsencrypt-production - ocp_route: - host: null + backing_store: {} - k3s: - additional_args: [] - syncer: - additional_args: [] + additional_manifests: nil + + resources: + k3s: + requests: + cpu: 40m + memory: 64Mi + limits: + cpu: 100m + memory: 256Mi + syncer: + requests: + cpu: 200m + memory: 256Mi + limits: + memory: 2Gi - additional_manifests: {} + helm_values: + sync: + toHost: + ingresses: + enabled: true + controlPlane: + distro: + k3s: + enabled: true + extraArgs: ${vcluster:k3s:additional_args} + image: + registry: ${vcluster:images:k3s:registry} + repository: ${vcluster:images:k3s:image} + tag: ${vcluster:images:k3s:tag} + resources: ${vcluster:resources:k3s} + statefulSet: + security: + containerSecurityContext: + allowPrivilegeEscalation: false + runAsUser: null + runAsGroup: null + resources: + ${vcluster:resources:syncer} + image: + registry: ${vcluster:images:syncer:registry} + repository: ${vcluster:images:syncer:image} + tag: ${vcluster:images:syncer:tag} + persistence: + volumeClaim: + enabled: ${vcluster:storage:persistence} + size: ${vcluster:storage:size} + storageClass: ${vcluster:storage:class_name} + backingStore: ${vcluster:backing_store} + ingress: + enabled: ${vcluster:ingress:enabled} + host: ${vcluster:ingress:host} + annotations: ${vcluster:ingress:annotations} + spec: + tls: + - hosts: + - ${vcluster:ingress:host} + secretName: ${_instance}-tls + rbac: + role: + extraRules: + - apiGroups: [""] + resources: ["endpoints/restricted"] + verbs: ["create"] + exportKubeConfig: + server: https://${vcluster:ingress:host} + serviceAccount: + name: ${_instance}-admin + clusterRole: cluster-admin + experimental: + deploy: + vcluster: + manifests: ${vcluster:additional_manifests} syn: registration_url: null diff --git a/class/vcluster.yml b/class/vcluster.yml index ec527a2..55ce0f6 100644 --- a/class/vcluster.yml +++ b/class/vcluster.yml @@ -1,5 +1,11 @@ parameters: kapitan: + dependencies: + - type: helm + source: ${vcluster:charts:vcluster:source} + chart_name: vcluster + version: ${vcluster:charts:vcluster:version} + output_path: ${_base_directory}/helmcharts/vcluster/${vcluster:charts:vcluster:version} compile: - input_paths: - vcluster/component/app.jsonnet @@ -9,3 +15,12 @@ parameters: - vcluster/component/main.jsonnet input_type: jsonnet output_path: ${_instance}/ + - output_path: ${_instance}/01_vcluster_helmchart + input_type: helm + output_type: yaml + input_paths: + - ${_base_directory}/helmcharts/vcluster/${vcluster:charts:vcluster:version} + helm_params: + name: "${_instance}" + namespace: "${vcluster:namespace}" + helm_values: ${vcluster:helm_values} diff --git a/component/app.jsonnet b/component/app.jsonnet index c8a6c3e..52d92f4 100644 --- a/component/app.jsonnet +++ b/component/app.jsonnet @@ -4,7 +4,7 @@ local params = inv.parameters.vcluster; local instance = inv.parameters._instance; local argocd = import 'lib/argocd.libjsonnet'; -local app = argocd.App(instance, params.namespace); +local app = argocd.App(instance, params.namespace, base='vcluster'); local appPath = local project = std.get(std.get(app, 'spec', {}), 'project', 'syn'); diff --git a/component/cluster.libsonnet b/component/cluster.libsonnet deleted file mode 100644 index 73e8f99..0000000 --- a/component/cluster.libsonnet +++ /dev/null @@ -1,469 +0,0 @@ -local kap = import 'lib/kapitan.libjsonnet'; -local kube = import 'lib/kube.libjsonnet'; -local ocpRoute = import 'ocp-route.libsonnet'; -local postSetup = import 'post-setup.libsonnet'; -local inv = kap.inventory(); -local common = import 'common.libsonnet'; -// The hiera parameters for the component -local params = inv.parameters.vcluster; - -local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift'); - -local cluster = function(name, options) - local sa = kube.ServiceAccount('vc-' + name) { - metadata+: { - namespace: options.namespace, - }, - }; - local role = kube.Role(name) { - metadata+: { - namespace: options.namespace, - }, - rules: [ - { - apiGroups: [ - '', - ], - resources: [ - 'configmaps', - 'secrets', - 'services', - 'pods', - 'pods/attach', - 'pods/portforward', - 'pods/exec', - 'endpoints', - 'persistentvolumeclaims', - ], - verbs: [ - 'create', - 'delete', - 'patch', - 'update', - 'get', - 'list', - 'watch', - ], - }, - { - apiGroups: [ - '', - ], - resources: [ - 'events', - 'pods/log', - ], - verbs: [ - 'get', - 'list', - 'watch', - ], - }, - { - apiGroups: [ - 'networking.k8s.io', - ], - resources: [ - 'ingresses', - ], - verbs: [ - 'create', - 'delete', - 'patch', - 'update', - 'get', - 'list', - 'watch', - ], - }, - { - apiGroups: [ - 'apps', - ], - resources: [ - 'statefulsets', - 'replicasets', - 'deployments', - ], - verbs: [ - 'get', - 'list', - 'watch', - ], - }, - ] + if isOpenshift then - [ - { - apiGroups: [ - '', - ], - resources: [ - 'endpoints/restricted', - ], - verbs: [ - 'create', - ], - }, - ] else [], - }; - local roleBinding = kube.RoleBinding(name) { - metadata+: { - namespace: options.namespace, - }, - subjects_: [ sa ], - roleRef_: role, - }; - - local clusterRole = kube.ClusterRole('syn-vcluster-%s' % [ name ]) { - rules: [ - { - apiGroups: [ - 'networking.k8s.io', - ], - resources: [ - 'ingressclasses', - ], - verbs: [ - 'get', - 'list', - 'watch', - ], - }, - ], - }; - local clusterRoleBinding = kube.ClusterRoleBinding('syn-vcluster-%s' % [ name ]) { - subjects_: [ sa ], - roleRef_: clusterRole, - }; - - local sccRole = if isOpenshift then - kube.Role('use-nonroot-v2') { - metadata+: { - namespace: options.namespace, - }, - rules: [ - { - apiGroups: [ - 'security.openshift.io', - ], - resourceNames: [ - 'nonroot-v2', - ], - resources: [ - 'securitycontextconstraints', - ], - verbs: [ - 'use', - ], - }, - ], - }; - local sccRoleBinding = if isOpenshift then - kube.RoleBinding('default-use-nonroot-v2') { - metadata+: { - annotations+: { - 'vcluster.syn.tools/description': 'Allow vcluster to sync pods with arbitrary nonroot users by allowing the default ServiceAccount to use the nonroot-v2 scc', - }, - namespace: options.namespace, - }, - roleRef_: sccRole, - subjects: [ - { - kind: 'ServiceAccount', - name: 'default', - namespace: options.namespace, - }, - ], - }; - - local service = kube.Service(name) { - metadata+: { - namespace: options.namespace, - }, - spec: { - type: 'ClusterIP', - ports: [ - { - name: 'https', - port: 443, - targetPort: 8443, - protocol: 'TCP', - }, - ], - selector: { - app: 'vcluster', - release: name, - }, - }, - }; - - local headlessService = kube.Service(name + '-headless') { - metadata+: { - namespace: options.namespace, - }, - spec: { - ports: [ - { - name: 'https', - port: 443, - targetPort: 8443, - protocol: 'TCP', - }, - ], - clusterIP: 'None', - selector: { - app: 'vcluster', - release: name, - }, - }, - }; - - local initManifestsCM = kube.ConfigMap(name + '-init-manifests') { - local manifests = options.additional_manifests, - local manifestArray = if std.isArray(manifests) then - manifests - else if std.isObject(manifests) then - std.objectValues(manifests) - else - error 'Manifests must be array or object' - , - - metadata+: { - namespace: options.namespace, - }, - data: { - manifests: std.manifestYamlStream(manifestArray, false, false), - }, - }; - - local statefulSet = kube.StatefulSet(name) { - metadata+: { - namespace: options.namespace, - }, - spec: { - serviceName: name + '-headless', - replicas: 1, - selector: { - matchLabels: { - app: 'vcluster', - release: name, - }, - }, - volumeClaimTemplates: - if options.storage.persistence then [ - { - metadata: { - name: 'data', - }, - spec: { - accessModes: [ 'ReadWriteOnce' ], - storageClassName: options.storage.class_name, - resources: { - requests: { - storage: options.storage.size, - }, - }, - }, - }, - ] else [], - template: { - metadata: { - labels: { - app: 'vcluster', - release: name, - }, - }, - spec: { - terminationGracePeriodSeconds: 10, - nodeSelector: {}, - affinity: {}, - tolerations: [], - serviceAccountName: 'vc-' + name, - volumes: [ - { - name: 'coredns', - configMap: { - name: 'vc-%s-coredns' % name, - defaultMode: 420, - }, - }, - { - name: 'etc-rancher', - emptyDir: {}, - }, - ] + if !options.storage.persistence then [ - { - name: 'data', - emptyDir: {}, - }, - ] else [], - local tlsSANs = [ - '--tls-san=%s.%s.svc.cluster.local' % [ name, options.namespace ], - '--tls-san=%s.%s.svc' % [ name, options.namespace ], - '--tls-san=%s.%s' % [ name, options.namespace ], - '--tls-san=%s' % [ name ], - ], - containers: [ - { - image: common.formatImage(options.images.k3s), - name: 'vcluster', - command: [ - '/bin/k3s', - ], - assert options.host_service_cidr != null : ||| - `host_service_cidr` must be set. - - You can find out a host cluster's service CIDR by deploying a service with an invalid ClusterIP (such as 1.1.1.1). - $ kubectl create svc clusterip check-service-cidr --clusterip=1.1.1.1 --tcp=5678:5678 - The error message shows the host cluster's service CIDR: - > The Service "check-service-cidr" is invalid: spec.clusterIPs: Invalid value: []string{"1.1.1.1"}.... The range of valid IPs is 10.96.0.0/12. - |||, - args: [ - 'server', - '--write-kubeconfig=/data/k3s-config/kube-config.yaml', - '--data-dir=/data', - '--disable=traefik,servicelb,metrics-server,local-storage,coredns', - '--disable-network-policy', - '--disable-agent', - '--disable-scheduler', - '--disable-cloud-controller', - '--flannel-backend=none', - '--service-cidr=%s' % options.host_service_cidr, - '--kube-controller-manager-arg=controllers=*,-nodeipam,-nodelifecycle,-persistentvolume-binder,-attachdetach,-persistentvolume-expander,-cloud-node-lifecycle', - ] + tlsSANs + options.k3s.additional_args, - env: [], - securityContext: { - allowPrivilegeEscalation: false, - }, - volumeMounts: [ - { - mountPath: '/data', - name: 'data', - }, - { - mountPath: '/etc/rancher', - name: 'etc-rancher', - }, - ], - resources: params.resources.k3s, - }, - { - name: 'syncer', - image: common.formatImage(options.images.syncer), - args: [ - '--name=' + name, - '--out-kube-config-secret=vc-%s-kubeconfig' % name, - '--sync=ingresses', - ] + tlsSANs + options.syncer.additional_args, - livenessProbe: { - httpGet: { - path: '/healthz', - port: 8443, - scheme: 'HTTPS', - }, - failureThreshold: 10, - initialDelaySeconds: 60, - periodSeconds: 2, - }, - readinessProbe: { - httpGet: { - path: '/readyz', - port: 8443, - scheme: 'HTTPS', - }, - failureThreshold: 30, - periodSeconds: 2, - }, - securityContext: { - allowPrivilegeEscalation: false, - }, - env: [ - // ensure that syncer TLS certificate is also valid for pod IP - { - name: 'POD_IP', - valueFrom: { - fieldRef: { - fieldPath: 'status.podIP', - }, - }, - }, - ], - volumeMounts: [ - { - mountPath: '/data', - name: 'data', - readOnly: true, - }, - { - mountPath: '/manifests/coredns', - name: 'coredns', - readOnly: true, - }, - ], - resources: params.resources.syncer, - }, - ], - }, - }, - }, - }; - - local ingress = kube._Object('networking.k8s.io/v1', 'Ingress', name) { - metadata+: { - namespace: options.namespace, - annotations+: options.ingress.annotations, - labels+: options.ingress.labels, - }, - spec: { - rules: [ - { - host: options.ingress.host, - http: { - paths: [ - { - backend: { - service: { - name: name, - port: { - name: 'https', - }, - }, - }, - path: '/', - pathType: 'Prefix', - }, - ], - }, - }, - ], - tls: [ - { - hosts: [ - options.ingress.host, - ], - secretName: name + '-tls', - }, - ], - }, - }; - - std.filter(function(m) m != null, [ - sa, - role, - roleBinding, - clusterRole, - clusterRoleBinding, - sccRole, - sccRoleBinding, - service, - headlessService, - statefulSet, - initManifestsCM, - (import 'coredns.libsonnet').corednsConfigMap(name, options.namespace), - if options.ingress.host != null then ingress, - if options.syn.registration_url != null then postSetup.Synthesize(name, 'vc-%s-kubeconfig' % name, options.syn.registration_url), - ] + if options.ocp_route.host != null then ocpRoute.RouteCreateJob(name, 'vc-%s-kubeconfig' % name, options.ocp_route.host) else []); - -{ - Cluster: cluster, -} diff --git a/component/coredns.libsonnet b/component/coredns.libsonnet deleted file mode 100644 index 2417d76..0000000 --- a/component/coredns.libsonnet +++ /dev/null @@ -1,239 +0,0 @@ -local kap = import 'lib/kapitan.libjsonnet'; -local kube = import 'lib/kube.libjsonnet'; -local inv = kap.inventory(); -local common = import 'common.libsonnet'; -// The hiera parameters for the component -local params = inv.parameters.vcluster; - -local corednsConfigMap = - function(name, namespace) - kube.ConfigMap('vc-%s-coredns' % name) { - metadata+: { - namespace: namespace, - }, - data: { - // The deployment has some variables in there that get modified by vcluster. - // It is not valid yaml, so we need to use a string. - // The Helm chart does use a string too. - 'coredns.yaml': ||| - apiVersion: v1 - kind: ServiceAccount - metadata: - name: coredns - namespace: kube-system - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - rules: - - apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:coredns - subjects: - - kind: ServiceAccount - name: coredns - namespace: kube-system - --- - apiVersion: v1 - kind: ConfigMap - metadata: - name: coredns - namespace: kube-system - data: - Corefile: | - .:1053 { - {{.LOG_IN_DEBUG}} - errors - health - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - } - hosts /etc/coredns/NodeHosts { - ttl 60 - reload 15s - fallthrough - } - prometheus :9153 - forward . /etc/resolv.conf - cache 30 - loop - reload - loadbalance - } - - import /etc/coredns/custom/*.server - NodeHosts: "" - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: coredns - namespace: kube-system - labels: - k8s-app: kube-dns - kubernetes.io/name: "CoreDNS" - spec: - replicas: 1 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - k8s-app: kube-dns - template: - metadata: - labels: - k8s-app: kube-dns - spec: - priorityClassName: "system-cluster-critical" - serviceAccountName: coredns - nodeSelector: - kubernetes.io/os: linux - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - k8s-app: kube-dns - containers: - - name: coredns - image: {{.IMAGE}} - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 1000m - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - args: [ "-conf", "/etc/coredns/Corefile" ] - volumeMounts: - - name: config-volume - mountPath: /etc/coredns - readOnly: true - - name: custom-config-volume - mountPath: /etc/coredns/custom - readOnly: true - ports: - - containerPort: 1053 - name: dns - protocol: UDP - - containerPort: 1053 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - securityContext: - runAsNonRoot: true - runAsUser: {{.RUN_AS_USER}} - runAsGroup: {{.RUN_AS_GROUP}} - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - livenessProbe: - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 2 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: Default - volumes: - - name: config-volume - configMap: - name: coredns - items: - - key: Corefile - path: Corefile - - key: NodeHosts - path: NodeHosts - - name: custom-config-volume - configMap: - name: coredns-custom - optional: true - --- - apiVersion: v1 - kind: Service - metadata: - name: kube-dns - namespace: kube-system - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" - labels: - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - spec: - selector: - k8s-app: kube-dns - type: ClusterIP - ports: - - name: dns - port: 53 - targetPort: 1053 - protocol: UDP - - name: dns-tcp - port: 53 - targetPort: 1053 - protocol: TCP - - name: metrics - port: 9153 - protocol: TCP - |||, - }, - }; - -{ - corednsConfigMap: corednsConfigMap, -} diff --git a/component/main.jsonnet b/component/main.jsonnet index 5cebe13..9add4fb 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -7,11 +7,57 @@ local inv = kap.inventory(); // The hiera parameters for the component local params = inv.parameters.vcluster; local instance = inv.parameters._instance; +local ocpRoute = import 'ocp-route.libsonnet'; +local postSetup = import 'post-setup.libsonnet'; + +local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift') || inv.parameters.facts.distribution == 'oke'; + +local sccRole = kube.Role('use-nonroot-v2') { + metadata+: { + namespace: params.namespace, + }, + rules: [ + { + apiGroups: [ + 'security.openshift.io', + ], + resourceNames: [ + 'nonroot-v2', + ], + resources: [ + 'securitycontextconstraints', + ], + verbs: [ + 'use', + ], + }, + ], +}; +local sccRoleBinding = kube.RoleBinding('vcluster-use-nonroot-v2') { + metadata+: { + annotations+: { + 'vcluster.syn.tools/description': 'Allow vcluster to sync pods with arbitrary nonroot users by allowing the default ServiceAccount to use the nonroot-v2 scc', + }, + namespace: params.namespace, + }, + roleRef_: sccRole, + subjects: [ + { + kind: 'ServiceAccount', + name: 'vc-%s' % instance, + namespace: params.namespace, + }, + ], +}; + // Define outputs below { '00_namespace': kube.Namespace(params.namespace) { metadata+: com.makeMergeable(params.namespaceMetadata), }, - '10_cluster': cluster.Cluster(instance, params), + [if isOpenshift && params.ingress.enabled && params.ingress.host != null then '11_ocp_route']: ocpRoute.RoutePatchJob(instance, 'vc-%s' % instance, params.ingress.host), + [if params.syn.registration_url != null then '11_synthesize']: postSetup.Synthesize(instance, 'vc-%s' % instance, params.syn.registration_url), + [if isOpenshift then '20_scc_role']: sccRole, + [if isOpenshift then '20_scc_role_binding']: sccRoleBinding, } diff --git a/component/ocp-route.libsonnet b/component/ocp-route.libsonnet index 8d88851..6a807f8 100644 --- a/component/ocp-route.libsonnet +++ b/component/ocp-route.libsonnet @@ -1,14 +1,15 @@ /* -* Creates a re-encrypting OCP route. +* Patches the OCP route. * * Routes do not support reading certificates from secrets. Thus -* certificates have to be known before creating a route. +* certificates have to be known before creating a route or patched +* in afterwards. Since the route is automatically created from +* the ingress, we will patch the route afterwards. * The clusters serving certificate is only known after startup. * So we create a job that: * - Mounts the vclusters kubeconfig * - Reads the clusters self signed serving certificate from it -* - Inserts the certificate into the route template -* - Creates the route and sets ownership to the vcluster StatefulSet +* - Patches the route */ local kap = import 'lib/kapitan.libjsonnet'; @@ -18,9 +19,9 @@ local inv = kap.inventory(); local params = inv.parameters.vcluster; local common = import 'common.libsonnet'; -local script = importstr './scripts/create-route.sh'; +local script = importstr './scripts/patch-route.sh'; -local routeCreateJob = function(name, secretName, host) +local routePatchJob = function(name, secretName, host) local jobName = name + '-create-route'; local role = kube.Role(jobName) { @@ -32,9 +33,8 @@ local routeCreateJob = function(name, secretName, host) verbs: [ '*' ], }, { - apiGroups: [ 'apps' ], - resources: [ 'statefulsets' ], - resourceNames: [ name ], + apiGroups: [ 'cert-manager.io' ], + resources: [ 'certificates' ], verbs: [ 'get' ], }, ], @@ -50,29 +50,6 @@ local routeCreateJob = function(name, secretName, host) roleRef_: role, }; - local routeTemplate = std.manifestJsonEx(kube._Object('route.openshift.io/v1', 'Route', name) { - metadata+: { - namespace: params.namespace, - }, - spec: { - host: host, - path: '/', - port: { - targetPort: 'https', - }, - tls: { - insecureEdgeTerminationPolicy: 'None', - termination: 'reencrypt', - }, - to: { - kind: 'Service', - name: name, - weight: 100, - }, - wildcardPolicy: 'None', - }, - }, ''); - local job = kube.Job(jobName) { metadata+: { namespace: params.namespace, @@ -89,21 +66,21 @@ local routeCreateJob = function(name, secretName, host) image: common.formatImage(params.images.kubectl), workingDir: '/export', command: [ 'sh' ], - args: [ '-eu', '-c', script, '--', routeTemplate ], + args: [ '-eu', '-c', script ], env: [ { name: 'HOME', value: '/export' }, { name: 'NAMESPACE', value: params.namespace }, - { name: 'VCLUSTER_STS_NAME', value: name }, + { name: 'VCLUSTER_NAME', value: name }, ], volumeMounts: [ { name: 'export', mountPath: '/export' }, - { name: 'kubeconfig', mountPath: '/etc/vcluster-kubeconfig', readOnly: true }, + { name: 'vcluster-config', mountPath: '/etc/vcluster-config', readOnly: true }, ], }, }, volumes+: [ { name: 'export', emptyDir: {} }, - { name: 'kubeconfig', secret: { secretName: secretName } }, + { name: 'vcluster-config', secret: { secretName: secretName } }, ], }, }, @@ -117,5 +94,5 @@ local routeCreateJob = function(name, secretName, host) ]; { - RouteCreateJob: routeCreateJob, + RoutePatchJob: routePatchJob, } diff --git a/component/scripts/apply.sh b/component/scripts/apply.sh deleted file mode 100755 index 85305af..0000000 --- a/component/scripts/apply.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -set -eu - -cp /etc/vcluster-kubeconfig/config ./config -vcluster_kubeconfig=./config - -echo "Setting server URL..." - -kubectl --kubeconfig "$vcluster_kubeconfig" config set clusters.local.server "$VCLUSTER_SERVER_URL" - -echo "Applying manifests..." - -for manifest in "$@" -do - printf "$manifest" | kubectl --kubeconfig "$vcluster_kubeconfig" apply -f - -oyaml -done - -echo "Done!" diff --git a/component/scripts/create-route.sh b/component/scripts/create-route.sh deleted file mode 100755 index 62a289f..0000000 --- a/component/scripts/create-route.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -set -eu - -vcluster_kubeconfig=/etc/vcluster-kubeconfig/config - -echo "Using kubeconfig: $vcluster_kubeconfig" - -cert=$(kubectl --kubeconfig $vcluster_kubeconfig config view '-o=template={{(index (index .clusters 0).cluster "certificate-authority-data") | base64decode}}' --raw) - -echo "Found certificate:\n$cert" - -echo "Looking for StatefulSet.apps/${VCLUSTER_STS_NAME}..." - -owner=$(kubectl get StatefulSet.apps "$VCLUSTER_STS_NAME" -ojson | jq '{kind: .kind, apiVersion: .apiVersion, name: .metadata.name, uid: .metadata.uid}') - -echo "Found StatefulSet as owner: $owner" - -echo "Applying route..." - -printf "$1" \ - | jq \ - --arg cert "$cert" \ - --argjson owner "$owner" \ - '.metadata.ownerReferences = [$owner] | .spec.tls.destinationCACertificate = $cert' \ - | kubectl apply -f - -oyaml - -echo "Done!" diff --git a/component/scripts/patch-route.sh b/component/scripts/patch-route.sh new file mode 100755 index 0000000..b76d1b9 --- /dev/null +++ b/component/scripts/patch-route.sh @@ -0,0 +1,50 @@ +#!/bin/sh +set -eu + +cert=/etc/vcluster-config/certificate-authority + +echo "Using ca: $cert" + +echo "Looking for routes.route.openshift.io for ${VCLUSTER_NAME}..." + +route_name=$(kubectl -n "$NAMESPACE" get routes.route.openshift.io -ojson | jq -r '.items[].metadata | select(.ownerReferences !=null) | select(.ownerReferences[].name=="'"${VCLUSTER_NAME}"'") | .name') + +echo "Found route: $route_name" + +echo "Check if route is already patched" + +patched=$(kubectl -n "$NAMESPACE" get route "$route_name" -o jsonpath='{.spec.tls.destinationCACertificate}') + +if [ "$patched" != "" ]; then + echo "Route is already patched. Nothing to do" + exit +fi + +echo "Waiting for route to have a proper certificate" + +i=0 +while [ "$i" -lt 100 ]; do + certificate_status=$(kubectl -n "$NAMESPACE" get certificate "$VCLUSTER_NAME"-tls -o jsonpath='{.status.conditions[0].type}') + if [ "$certificate_status" = "Ready" ]; then break; fi + sleep 10 + $i++ +done + +if [ "$certificate_status" != "Ready" ]; then + echo "Certificate is not ready. Please check status of certificate issuance." + exit 1 +fi + +patch_cert="$(cat ${cert} | sed 's/$/\\n/' | tr -d '\n')" + +patch_file=$(mktemp) + +printf '%s\n' '{"spec":{"tls":{"destinationCACertificate":"'"$(printf '%s\n' "${patch_cert}")"'"}}}' > "${patch_file}" + +echo "Patching route..." + +kubectl -n "$NAMESPACE" patch route "$route_name" --patch-file "${patch_file}" + +rm "${patch_file}" + +echo "Done!" diff --git a/docs/modules/ROOT/pages/how-tos/oidc.adoc b/docs/modules/ROOT/pages/how-tos/oidc.adoc index 982fab9..fb55ced 100644 --- a/docs/modules/ROOT/pages/how-tos/oidc.adoc +++ b/docs/modules/ROOT/pages/how-tos/oidc.adoc @@ -57,7 +57,7 @@ parameters: - --kube-apiserver-arg=oidc-client-id=$YOUR_CLIENT_ID <2> - --kube-apiserver-arg=oidc-username-claim=preferred_username - --kube-apiserver-arg=oidc-groups-claim=groups - additional_manifests: <3> + additional_manifests: |- <3> cluster-admin: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/docs/modules/ROOT/pages/how-tos/upgrade-1.x-to-2.x.adoc b/docs/modules/ROOT/pages/how-tos/upgrade-1.x-to-2.x.adoc new file mode 100644 index 0000000..7348a8e --- /dev/null +++ b/docs/modules/ROOT/pages/how-tos/upgrade-1.x-to-2.x.adoc @@ -0,0 +1,132 @@ += Upgrade from 1.x to 2.x + +Version 2.x brings a lot of changes and an upgrade is currently not officially supported and not tested. + +This guide describes the steps to perform an upgrade of component from version 1.x to 2.x. + +[WARNING] +==== +Before upgrading to version 2.x, please ensure you have a backup of the vcluster (backingStore PVC). +As of this writing the upgrade has not been tested and is only theoretical. + +There are a lot of breaking changes between the two versions. So tread carefully. +==== + +== Introduction + +The component version 1.x did not use any helm chart instead the manifests where created in the component and haven't been updated. +Vcluster has evolved a lot since than and a lot of things have changed. + +The new version 2.x makes use of the official helm chart to deploy the vcluster. + +== Step-by-step guide + +Some parameters have been removed or renamed. You will have to remap those before upgrading: + +=== Dropped parameters + +==== `host_service_cidr` + +This parameter is obsolete and is now internally handled by vcluster + +==== `syncer.additional_args` + +This parameter has been dropped, as it doesn't exist anymore upstream. Please consult the https://github.com/loft-sh/vcluster/blob/main/chart/values.yaml[values file] of the official helm chart to configure various settings that were previously done using `additional_args + +==== `ocp_route.host` + +This parameter is not used anymore. The route will automatically be patched if the `ingress.host` is set and the cluster is running on Openshift + +===== Examples + +====== Image override + +[source,yaml] +---- +syncer: + additional_args: + - --override-hosts-container-image=dockerhub.vshn.net/library/alpine:3.13.1 +---- +This image override is now set as follows: + +[source,yaml] +---- +helm_values: + sync: + toHost: + pods: + rewriteHosts: + initContainer: + image: dockerhub.vshn.net/library/alpine:3.20 +---- + +====== Service mappings + +[source,yaml] +----- +syncer: + additional_args: + - --map-host-service=my-host-namespace/my-host-service=my-virtual-namespace/my-virtual-service + - --map-virtual-service=my-virtual-namespace/my-virtual-service/bar=my-host-service + +----- + +This is now done like using `replicateServices` + +[source,yaml] +---- +helm_values: + replicateServices: + fromHost: + - from: my-host-namespace/my-host-service + to: my-virtual-namespace/my-virtual-service + + + toHost: + - from: my-virtual-namespace/my-virtual-service + to: my-host-service +---- + +=== Changed parameters + +==== `storage.persistence` + +This changed from true to auto to let vcluster decide the proper persistence setting automatically (eg. disable persistence when using dedicated etcd) + +==== `resources.k3s` + +This container is now an init container and not a regular container. Therefore the resources have been adjusted accordingly and now match the upstream helm chart values. + +==== `resources.syncer` + +The resources on this container have been increased to match the recommended default values from the upstream chart. + +==== `additional_manifests` + +This parameter has changed form a dict to a string, as the upstream field changed. + +=== New parameters + +==== `backing_store` + +This new parameter allows to configure the backingStore for the vcluster. Here you can for example configure the vcluster to use etcd instead of the default embedded database (sqlite). + +==== `helm_values` + +The raw default values of the component. See the https://github.com/loft-sh/vcluster/blob/main/chart/values.yaml[value file] of the offical helm chart for all options. + + +=== Procedure + +[WARNING] This procedure has not been tested yet. Please tread very carefully. + +Once you have updated all parameters compile the catalog and verify thoroughly the diff. Most notably check the statefulset and the configured volumeClaim. It's important that the volumeClaimName is identical to the old version to ensure that the same volume is used. + +Due to the many changes in the statefulset you won't be able to apply the changes in the statefulset. You will have to first delete the statefulset and then have it reapplied by argocd: + +[source,bash] +---- +kubectl -n ${NS} delete statefulset ${INSTANCE_NAME} --cascade=orphan +---- + +Once the statefulset has been recreated check the logs of the vcluster pod to ensure everything is working as expected. diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 06ea797..a593846 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -32,29 +32,6 @@ namespace: Additional metadata for the namespace. -== `host_service_cidr` - -[horizontal] -type:: string -default:: `null` - -The host cluster's service CIDR. Must be set. - -You can find out a host cluster's service CIDR by deploying a service with an invalid ClusterIP (such as 1.1.1.1). - -[source,shell] ----- -kubectl create svc clusterip check-service-cidr --clusterip=1.1.1.1 --tcp=5678:5678 ----- - -The error message shows the host cluster's service CIDR: - -[source] ----- -The Service "check-service-cidr" is invalid: spec.clusterIPs: Invalid value: []string{"1.1.1.1"}.... The range of valid IPs is 10.96.0.0/12. ----- - - == `images` [horizontal] @@ -64,11 +41,6 @@ Dictionary containing the container images used by this component. The `kubectl` image is used to create OCP routes. The `kubectl` and `jq` binaries are required in this image. -[NOTE] -The deprecated parameter `repository` is still supported for backwards compatibility. -Use `registry` instead. -`repository` overrides the `registry` parameter if both are set. - == `k3s.additional_args` [horizontal] @@ -80,50 +52,21 @@ example:: ---- k3s: additional_args: - - --kube-apiserver-arg=oidc-issuer-url=https://id.local/auth/realms/local - - --kube-apiserver-arg=oidc-client-id=local - - --kube-apiserver-arg=oidc-username-claim=email - - --kube-apiserver-arg=oidc-groups-claim=groups + - --kube-apiserver-arg=oidc-issuer-url=https://id.local/auth/realms/local + - --kube-apiserver-arg=oidc-client-id=local + - --kube-apiserver-arg=oidc-username-claim=email + - --kube-apiserver-arg=oidc-groups-claim=groups ---- Additional arguments for the k3s cluster. -== `syncer.additional_args` - -[horizontal] -type:: list -default:: `[]` - -Additional arguments for vcluster syncer. - - -== `storage.persistence` - -[horizontal] -type:: boolean -default:: `true` - -Persistence controls whether vcluster resources are persisted between deployments. - - -== `storage.size` - -[horizontal] -type:: string -default:: `5Gi` - -The size of the persistent volume claim. - - -== `storage.class_name` +== `backing_store` [horizontal] -type:: string -default:: `null` - -The `StorageClass` used for the persistent volume claim. +type:: dictionary +Configuration for the backing store. If nothing configured it uses embedded database (sqlite). For configuration options see https://www.vcluster.com/docs/vcluster/configure/vcluster-yaml/control-plane/components/backing-store/[the offical documentation] == `resources` @@ -136,16 +79,17 @@ default:: resources: k3s: requests: - cpu: 200m - memory: 256Mi + cpu: 40m + memory: 64Mi limits: - memory: 2Gi + cpu: 100m + memory: 256Mi syncer: requests: - cpu: 100m - memory: 128Mi + cpu: 200m + memory: 256Mi limits: - memory: 1Gi + memory: 2Gi ---- The resource requests and limits for the k3s and syncer containers. @@ -183,15 +127,6 @@ ingress: Additional annotations for the ingress object. -== `ingress.labels` - -[horizontal] -type:: dict -default:: `{}` - -Additional labels for the ingress object. - - == `ocp_route.host` [horizontal] @@ -205,7 +140,6 @@ The route is set with TLS termination set to re-encrypt. The re-encyption breaks the mTLS user authentication. A secondary authentication method, like OIDC, should be configured. - == `syn.registration_url` [horizontal] @@ -215,17 +149,42 @@ example:: `https://api.syn.example.com/install/steward.json?token=cHJvamVjdCBzeW If set, the vcluster is registered with a Project SYN instance. +== `storage.persistence` + +[horizontal] +type:: bool or string +default:: `auto` + +Persistence controls whether vcluster resources are persisted between deployments. Defaults to auto, where vcluster will automatically determine based on the chosen distro and backing_store. + + +== `storage.size` + +[horizontal] +type:: string +default:: `5Gi` + +The size of the persistent volume claim. + + +== `storage.class_name` + +[horizontal] +type:: string +default:: `null` + +The `StorageClass` used for the persistent volume claim. == `additional_manifests` [horizontal] -type:: dict -default:: `{}` +type:: string +default:: `""` example:: + [source,yaml] ---- -additional_manifests: +additional_manifests: |- cluster-admin: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -242,14 +201,18 @@ additional_manifests: Manifests that should be applied to the vcluster after startup. +== `helm_values` + +[horizontal] +type:: dict + +You can override the default helm values here. The default configuration comes with k3s as well as ingress enabled. See defaults.yaml for the exact configuration. + == Example [source,yaml] ---- -host_service_cidr: 172.30.0.0/16 -storage: - persistence: false ingress: host: testcluster.local k3s: @@ -258,4 +221,8 @@ k3s: - --kube-apiserver-arg=oidc-client-id=local - --kube-apiserver-arg=oidc-username-claim=email - --kube-apiserver-arg=oidc-groups-claim=groups +backing_store: + etcd: + deploy: + enabled: true ---- diff --git a/docs/modules/ROOT/pages/tutorials/installation-openshift.adoc b/docs/modules/ROOT/pages/tutorials/installation-openshift.adoc index 245f717..efc867b 100644 --- a/docs/modules/ROOT/pages/tutorials/installation-openshift.adoc +++ b/docs/modules/ROOT/pages/tutorials/installation-openshift.adoc @@ -25,22 +25,20 @@ At the end of this tutorial we will have: ---- parameters: vcluster: - host_service_cidr: 172.30.0.0/16 <1> k3s: additional_args: - - --kube-apiserver-arg=oidc-issuer-url=https://keycloak.example.com/auth/realms/realm <2> - - --kube-apiserver-arg=oidc-client-id=client-id <3> + - --kube-apiserver-arg=oidc-issuer-url=https://keycloak.example.com/auth/realms/realm <1> + - --kube-apiserver-arg=oidc-client-id=client-id <2> - --kube-apiserver-arg=oidc-username-claim=preferred_username - --kube-apiserver-arg=oidc-groups-claim=groups ingress: host: vcluster.example.com annotations: - route.openshift.io/termination: reencrypt <4> + route.openshift.io/termination: reencrypt <3> ---- -<1> The host service CIDR (see xref:references/parameters.adoc#_host_service_cidr[host_service_cidr in parameters]) -<2> The Keycloak URL and realm -<3> The client ID in Keycloak -<4> Needed to communicate with the encrypted vcluster endpoint +<1> The Keycloak URL and realm +<2> The client ID in Keycloak +<3> Needed to communicate with the encrypted vcluster endpoint . Compile and push cluster catalog + @@ -58,34 +56,6 @@ This will create 2 OpenShift Route objects; one for the Ingress and one for the You can inspect the certificate provisioning with `kubecl get certificate,order`. ==== -. Get CA certificate from Secret. -+ -[source,bash] ----- -INSTANCE_NAME=vcluster <1> -NS=syn-${INSTANCE_NAME} <2> -CA_CERT=$(kubectl -n ${NS} get secret vc-${INSTANCE_NAME}-kubeconfig -o jsonpath='{.data.certificate-authority}' | base64 --decode) ----- -<1> The instance name -<2> The target namespace in which vcluster is being installed - -. Patch generated Route. -+ -[NOTE] -==== -This step is necessary so that the OpenShift Router trusts the generated CA certificate of the vcluster. -==== -+ -[source,bash] ----- -route_name=$(kubectl -n ${NS} get route -o json | jq -r '.items[].metadata | select(.ownerReferences != null) | select(.ownerReferences[].name=="'${INSTANCE_NAME}'") | .name') -patch_cert="$(echo ${CA_CERT} | sed 's/$/\\n/' | tr -d '\n')" -patch_file=$(mktemp) -echo -E '{"spec":{"tls":{"destinationCACertificate":"'$(echo -E ${patch_cert})'"}}}' > ${patch_file} -kubectl -n ${NS} patch route ${route_name} --patch-file ${patch_file} -rm ${patch_file} ----- - == Configure Keycloak . Add Role to client diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc index 0eb148c..8221987 100644 --- a/docs/modules/ROOT/partials/nav.adoc +++ b/docs/modules/ROOT/partials/nav.adoc @@ -1,6 +1,7 @@ * xref:index.adoc[Home] .How-to guides +* xref:how-tos/upgrade-1.x-to-2.x.adoc[Upgrade 1.x to 2.x] * xref:tutorials/installation-openshift.adoc[Installation On OpenShift] * xref:how-tos/oidc.adoc[Setup OIDC Integration] diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/config-secret.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/config-secret.yaml new file mode 100644 index 0000000..01101e6 --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/config-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + config.yaml: Y29udHJvbFBsYW5lOgogIGFkdmFuY2VkOgogICAgZGVmYXVsdEltYWdlUmVnaXN0cnk6ICIiCiAgICBnbG9iYWxNZXRhZGF0YToKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICBoZWFkbGVzc1NlcnZpY2U6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBsYWJlbHM6IHt9CiAgICBzZXJ2aWNlQWNjb3VudDoKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgaW1hZ2VQdWxsU2VjcmV0czogW10KICAgICAgbGFiZWxzOiB7fQogICAgICBuYW1lOiAiIgogICAgdmlydHVhbFNjaGVkdWxlcjoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHdvcmtsb2FkU2VydmljZUFjY291bnQ6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGltYWdlUHVsbFNlY3JldHM6IFtdCiAgICAgIGxhYmVsczoge30KICAgICAgbmFtZTogIiIKICBiYWNraW5nU3RvcmU6CiAgICBkYXRhYmFzZToKICAgICAgZW1iZWRkZWQ6CiAgICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgZXh0ZXJuYWw6CiAgICAgICAgY2FGaWxlOiAiIgogICAgICAgIGNlcnRGaWxlOiAiIgogICAgICAgIGNvbm5lY3RvcjogIiIKICAgICAgICBkYXRhU291cmNlOiAiIgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgICAga2V5RmlsZTogIiIKICAgIGV0Y2Q6CiAgICAgIGRlcGxveToKICAgICAgICBlbmFibGVkOiBmYWxzZQogICAgICAgIGhlYWRsZXNzU2VydmljZToKICAgICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgIHNlcnZpY2U6CiAgICAgICAgICBhbm5vdGF0aW9uczoge30KICAgICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgICBzdGF0ZWZ1bFNldDoKICAgICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgICAgZW5hYmxlU2VydmljZUxpbmtzOiB0cnVlCiAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgICBlbnY6IFtdCiAgICAgICAgICBleHRyYUFyZ3M6IFtdCiAgICAgICAgICBoaWdoQXZhaWxhYmlsaXR5OgogICAgICAgICAgICByZXBsaWNhczogMQogICAgICAgICAgaW1hZ2U6CiAgICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgICAgcmVwb3NpdG9yeTogZXRjZAogICAgICAgICAgICB0YWc6IDMuNS4xNy0wCiAgICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgICAgICBsYWJlbHM6IHt9CiAgICAgICAgICBwZXJzaXN0ZW5jZToKICAgICAgICAgICAgYWRkVm9sdW1lTW91bnRzOiBbXQogICAgICAgICAgICBhZGRWb2x1bWVzOiBbXQogICAgICAgICAgICB2b2x1bWVDbGFpbToKICAgICAgICAgICAgICBhY2Nlc3NNb2RlczoKICAgICAgICAgICAgICAtIFJlYWRXcml0ZU9uY2UKICAgICAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgICAgICAgcmV0ZW50aW9uUG9saWN5OiBSZXRhaW4KICAgICAgICAgICAgICBzaXplOiA1R2kKICAgICAgICAgICAgICBzdG9yYWdlQ2xhc3M6ICIiCiAgICAgICAgICAgIHZvbHVtZUNsYWltVGVtcGxhdGVzOiBbXQogICAgICAgICAgcG9kczoKICAgICAgICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgICAgICAgIGxhYmVsczoge30KICAgICAgICAgIHJlc291cmNlczoKICAgICAgICAgICAgcmVxdWVzdHM6CiAgICAgICAgICAgICAgY3B1OiAyMG0KICAgICAgICAgICAgICBtZW1vcnk6IDE1ME1pCiAgICAgICAgICBzY2hlZHVsaW5nOgogICAgICAgICAgICBhZmZpbml0eToge30KICAgICAgICAgICAgbm9kZVNlbGVjdG9yOiB7fQogICAgICAgICAgICBwb2RNYW5hZ2VtZW50UG9saWN5OiBQYXJhbGxlbAogICAgICAgICAgICBwcmlvcml0eUNsYXNzTmFtZTogIiIKICAgICAgICAgICAgdG9sZXJhdGlvbnM6IFtdCiAgICAgICAgICAgIHRvcG9sb2d5U3ByZWFkQ29uc3RyYWludHM6IFtdCiAgICAgICAgICBzZWN1cml0eToKICAgICAgICAgICAgY29udGFpbmVyU2VjdXJpdHlDb250ZXh0OiB7fQogICAgICAgICAgICBwb2RTZWN1cml0eUNvbnRleHQ6IHt9CiAgICAgIGVtYmVkZGVkOgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgICAgbWlncmF0ZUZyb21EZXBsb3llZEV0Y2Q6IGZhbHNlCiAgY29yZWRuczoKICAgIGRlcGxveW1lbnQ6CiAgICAgIGFmZmluaXR5OiB7fQogICAgICBhbm5vdGF0aW9uczoge30KICAgICAgaW1hZ2U6ICIiCiAgICAgIGxhYmVsczoge30KICAgICAgbm9kZVNlbGVjdG9yOiB7fQogICAgICBwb2RzOgogICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgIGxhYmVsczoge30KICAgICAgcmVwbGljYXM6IDEKICAgICAgcmVzb3VyY2VzOgogICAgICAgIGxpbWl0czoKICAgICAgICAgIGNwdTogMTAwMG0KICAgICAgICAgIG1lbW9yeTogMTcwTWkKICAgICAgICByZXF1ZXN0czoKICAgICAgICAgIGNwdTogMjBtCiAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgdG9sZXJhdGlvbnM6IFtdCiAgICAgIHRvcG9sb2d5U3ByZWFkQ29uc3RyYWludHM6CiAgICAgIC0gbGFiZWxTZWxlY3RvcjoKICAgICAgICAgIG1hdGNoTGFiZWxzOgogICAgICAgICAgICBrOHMtYXBwOiB2Y2x1c3Rlci1rdWJlLWRucwogICAgICAgIG1heFNrZXc6IDEKICAgICAgICB0b3BvbG9neUtleToga3ViZXJuZXRlcy5pby9ob3N0bmFtZQogICAgICAgIHdoZW5VbnNhdGlzZmlhYmxlOiBEb05vdFNjaGVkdWxlCiAgICBlbWJlZGRlZDogZmFsc2UKICAgIGVuYWJsZWQ6IHRydWUKICAgIG92ZXJ3cml0ZUNvbmZpZzogIiIKICAgIG92ZXJ3cml0ZU1hbmlmZXN0czogIiIKICAgIHByaW9yaXR5Q2xhc3NOYW1lOiAiIgogICAgc2VydmljZToKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgIGxhYmVsczoge30KICAgICAgc3BlYzoKICAgICAgICB0eXBlOiBDbHVzdGVySVAKICBkaXN0cm86CiAgICBrMHM6CiAgICAgIGNvbW1hbmQ6IFtdCiAgICAgIGNvbmZpZzogIiIKICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgZXh0cmFBcmdzOiBbXQogICAgICBpbWFnZToKICAgICAgICByZWdpc3RyeTogIiIKICAgICAgICByZXBvc2l0b3J5OiBrMHNwcm9qZWN0L2swcwogICAgICAgIHRhZzogdjEuMzAuMi1rMHMuMAogICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIHJlc291cmNlczoKICAgICAgICBsaW1pdHM6CiAgICAgICAgICBjcHU6IDEwMG0KICAgICAgICAgIG1lbW9yeTogMjU2TWkKICAgICAgICByZXF1ZXN0czoKICAgICAgICAgIGNwdTogNDBtCiAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgc2VjdXJpdHlDb250ZXh0OiB7fQogICAgazNzOgogICAgICBjb21tYW5kOiBbXQogICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGV4dHJhQXJnczogW10KICAgICAgaW1hZ2U6CiAgICAgICAgcmVnaXN0cnk6IGRvY2tlci5pbwogICAgICAgIHJlcG9zaXRvcnk6IHJhbmNoZXIvazNzCiAgICAgICAgdGFnOiB2MS4zMi4xLWszczEKICAgICAgaW1hZ2VQdWxsUG9saWN5OiAiIgogICAgICByZXNvdXJjZXM6CiAgICAgICAgbGltaXRzOgogICAgICAgICAgY3B1OiAxMDBtCiAgICAgICAgICBtZW1vcnk6IDI1Nk1pCiAgICAgICAgcmVxdWVzdHM6CiAgICAgICAgICBjcHU6IDQwbQogICAgICAgICAgbWVtb3J5OiA2NE1pCiAgICAgIHNlY3VyaXR5Q29udGV4dDoge30KICAgIGs4czoKICAgICAgYXBpU2VydmVyOgogICAgICAgIGNvbW1hbmQ6IFtdCiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICAgIGV4dHJhQXJnczogW10KICAgICAgICBpbWFnZToKICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgIHJlcG9zaXRvcnk6IGt1YmUtYXBpc2VydmVyCiAgICAgICAgICB0YWc6IHYxLjMyLjEKICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIGNvbnRyb2xsZXJNYW5hZ2VyOgogICAgICAgIGNvbW1hbmQ6IFtdCiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICAgIGV4dHJhQXJnczogW10KICAgICAgICBpbWFnZToKICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgIHJlcG9zaXRvcnk6IGt1YmUtY29udHJvbGxlci1tYW5hZ2VyCiAgICAgICAgICB0YWc6IHYxLjMyLjEKICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgIGVudjogW10KICAgICAgcmVzb3VyY2VzOgogICAgICAgIGxpbWl0czoKICAgICAgICAgIGNwdTogMTAwbQogICAgICAgICAgbWVtb3J5OiAyNTZNaQogICAgICAgIHJlcXVlc3RzOgogICAgICAgICAgY3B1OiA0MG0KICAgICAgICAgIG1lbW9yeTogNjRNaQogICAgICBzY2hlZHVsZXI6CiAgICAgICAgY29tbWFuZDogW10KICAgICAgICBleHRyYUFyZ3M6IFtdCiAgICAgICAgaW1hZ2U6CiAgICAgICAgICByZWdpc3RyeTogcmVnaXN0cnkuazhzLmlvCiAgICAgICAgICByZXBvc2l0b3J5OiBrdWJlLXNjaGVkdWxlcgogICAgICAgICAgdGFnOiB2MS4zMi4xCiAgICAgICAgaW1hZ2VQdWxsUG9saWN5OiAiIgogICAgICBzZWN1cml0eUNvbnRleHQ6IHt9CiAgICAgIHZlcnNpb246ICIiCiAgaW5ncmVzczoKICAgIGFubm90YXRpb25zOgogICAgICBjZXJ0LW1hbmFnZXIuaW8vY2x1c3Rlci1pc3N1ZXI6IGxldHNlbmNyeXB0LXByb2R1Y3Rpb24KICAgICAgbmdpbnguaW5ncmVzcy5rdWJlcm5ldGVzLmlvL2JhY2tlbmQtcHJvdG9jb2w6IEhUVFBTCiAgICAgIG5naW54LmluZ3Jlc3Mua3ViZXJuZXRlcy5pby9zc2wtcGFzc3Rocm91Z2g6ICJ0cnVlIgogICAgICBuZ2lueC5pbmdyZXNzLmt1YmVybmV0ZXMuaW8vc3NsLXJlZGlyZWN0OiAidHJ1ZSIKICAgIGVuYWJsZWQ6IHRydWUKICAgIGxhYmVsczoge30KICAgIHBhdGhUeXBlOiBJbXBsZW1lbnRhdGlvblNwZWNpZmljCiAgICBzcGVjOgogICAgICB0bHM6CiAgICAgIC0gaG9zdHM6CiAgICAgICAgLSBudWxsCiAgICAgICAgc2VjcmV0TmFtZTogZGVmYXVsdHMtdGxzCiAgcHJveHk6CiAgICBiaW5kQWRkcmVzczogMC4wLjAuMAogICAgZXh0cmFTQU5zOiBbXQogICAgcG9ydDogODQ0MwogIHNlcnZpY2U6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGVuYWJsZWQ6IHRydWUKICAgIGh0dHBzTm9kZVBvcnQ6IDAKICAgIGt1YmVsZXROb2RlUG9ydDogMAogICAgbGFiZWxzOiB7fQogICAgc3BlYzoKICAgICAgdHlwZTogQ2x1c3RlcklQCiAgc2VydmljZU1vbml0b3I6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBsYWJlbHM6IHt9CiAgc3RhdGVmdWxTZXQ6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGFyZ3M6IFtdCiAgICBjb21tYW5kOiBbXQogICAgZW5hYmxlU2VydmljZUxpbmtzOiB0cnVlCiAgICBlbnY6IFtdCiAgICBoaWdoQXZhaWxhYmlsaXR5OgogICAgICBsZWFzZUR1cmF0aW9uOiA2MAogICAgICByZW5ld0RlYWRsaW5lOiA0MAogICAgICByZXBsaWNhczogMQogICAgICByZXRyeVBlcmlvZDogMTUKICAgIGltYWdlOgogICAgICByZWdpc3RyeTogZ2hjci5pbwogICAgICByZXBvc2l0b3J5OiBsb2Z0LXNoL3ZjbHVzdGVyLW9zcwogICAgICB0YWc6IDAuMjQuMQogICAgaW1hZ2VQdWxsUG9saWN5OiAiIgogICAgbGFiZWxzOiB7fQogICAgcGVyc2lzdGVuY2U6CiAgICAgIGFkZFZvbHVtZU1vdW50czogW10KICAgICAgYWRkVm9sdW1lczogW10KICAgICAgYmluYXJpZXNWb2x1bWU6CiAgICAgIC0gZW1wdHlEaXI6IHt9CiAgICAgICAgbmFtZTogYmluYXJpZXMKICAgICAgZGF0YVZvbHVtZTogW10KICAgICAgdm9sdW1lQ2xhaW06CiAgICAgICAgYWNjZXNzTW9kZXM6CiAgICAgICAgLSBSZWFkV3JpdGVPbmNlCiAgICAgICAgZW5hYmxlZDogYXV0bwogICAgICAgIHJldGVudGlvblBvbGljeTogUmV0YWluCiAgICAgICAgc2l6ZTogNUdpCiAgICAgIHZvbHVtZUNsYWltVGVtcGxhdGVzOiBbXQogICAgcG9kczoKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgIGxhYmVsczoge30KICAgIHByb2JlczoKICAgICAgbGl2ZW5lc3NQcm9iZToKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHJlYWRpbmVzc1Byb2JlOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgc3RhcnR1cFByb2JlOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgIHJlc291cmNlczoKICAgICAgbGltaXRzOgogICAgICAgIGVwaGVtZXJhbC1zdG9yYWdlOiA4R2kKICAgICAgICBtZW1vcnk6IDJHaQogICAgICByZXF1ZXN0czoKICAgICAgICBjcHU6IDIwMG0KICAgICAgICBlcGhlbWVyYWwtc3RvcmFnZTogNDAwTWkKICAgICAgICBtZW1vcnk6IDI1Nk1pCiAgICBzY2hlZHVsaW5nOgogICAgICBhZmZpbml0eToge30KICAgICAgbm9kZVNlbGVjdG9yOiB7fQogICAgICBwb2RNYW5hZ2VtZW50UG9saWN5OiBQYXJhbGxlbAogICAgICBwcmlvcml0eUNsYXNzTmFtZTogIiIKICAgICAgdG9sZXJhdGlvbnM6IFtdCiAgICAgIHRvcG9sb2d5U3ByZWFkQ29uc3RyYWludHM6IFtdCiAgICBzZWN1cml0eToKICAgICAgY29udGFpbmVyU2VjdXJpdHlDb250ZXh0OgogICAgICAgIGFsbG93UHJpdmlsZWdlRXNjYWxhdGlvbjogZmFsc2UKICAgICAgcG9kU2VjdXJpdHlDb250ZXh0OiB7fQogICAgd29ya2luZ0RpcjogIiIKZXhwZXJpbWVudGFsOgogIGRlcGxveToKICAgIGhvc3Q6CiAgICAgIG1hbmlmZXN0czogIiIKICAgICAgbWFuaWZlc3RzVGVtcGxhdGU6ICIiCiAgICB2Y2x1c3RlcjoKICAgICAgaGVsbTogW10KICAgICAgbWFuaWZlc3RzOiBuaWwKICAgICAgbWFuaWZlc3RzVGVtcGxhdGU6ICIiCiAgZ2VuZXJpY1N5bmM6CiAgICBjbHVzdGVyUm9sZToKICAgICAgZXh0cmFSdWxlczogW10KICAgIHJvbGU6CiAgICAgIGV4dHJhUnVsZXM6IFtdCiAgaXNvbGF0ZWRDb250cm9sUGxhbmU6CiAgICBoZWFkbGVzczogZmFsc2UKICBtdWx0aU5hbWVzcGFjZU1vZGU6CiAgICBlbmFibGVkOiBmYWxzZQogIHJldXNlTmFtZXNwYWNlOiBmYWxzZQogIHN5bmNTZXR0aW5nczoKICAgIGRpc2FibGVTeW5jOiBmYWxzZQogICAgcmV3cml0ZUt1YmVybmV0ZXNTZXJ2aWNlOiBmYWxzZQogICAgc2V0T3duZXI6IHRydWUKICAgIHRhcmdldE5hbWVzcGFjZTogIiIKZXhwb3J0S3ViZUNvbmZpZzoKICBjb250ZXh0OiAiIgogIGluc2VjdXJlOiBmYWxzZQogIHNlY3JldDoKICAgIG5hbWU6ICIiCiAgICBuYW1lc3BhY2U6ICIiCiAgc2VydmVyOiBodHRwczovL05vbmUKICBzZXJ2aWNlQWNjb3VudDoKICAgIGNsdXN0ZXJSb2xlOiBjbHVzdGVyLWFkbWluCiAgICBuYW1lOiBkZWZhdWx0cy1hZG1pbgogICAgbmFtZXNwYWNlOiAiIgpleHRlcm5hbDoge30KaW50ZWdyYXRpb25zOgogIGNlcnRNYW5hZ2VyOgogICAgZW5hYmxlZDogZmFsc2UKICAgIHN5bmM6CiAgICAgIGZyb21Ib3N0OgogICAgICAgIGNsdXN0ZXJJc3N1ZXJzOgogICAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICAgICAgc2VsZWN0b3I6CiAgICAgICAgICAgIGxhYmVsczoge30KICAgICAgdG9Ib3N0OgogICAgICAgIGNlcnRpZmljYXRlczoKICAgICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgICBpc3N1ZXJzOgogICAgICAgICAgZW5hYmxlZDogdHJ1ZQogIGV4dGVybmFsU2VjcmV0czoKICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBzeW5jOgogICAgICBjbHVzdGVyU3RvcmVzOgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgICAgc2VsZWN0b3I6CiAgICAgICAgICBsYWJlbHM6IHt9CiAgICAgIGV4dGVybmFsU2VjcmV0czoKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHN0b3JlczoKICAgICAgICBlbmFibGVkOiBmYWxzZQogICAgd2ViaG9vazoKICAgICAgZW5hYmxlZDogZmFsc2UKICBrdWJlVmlydDoKICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBzeW5jOgogICAgICBkYXRhVm9sdW1lczoKICAgICAgICBlbmFibGVkOiBmYWxzZQogICAgICB2aXJ0dWFsTWFjaGluZUNsb25lczoKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHZpcnR1YWxNYWNoaW5lSW5zdGFuY2VNaWdyYXRpb25zOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgdmlydHVhbE1hY2hpbmVJbnN0YW5jZXM6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICB2aXJ0dWFsTWFjaGluZVBvb2xzOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgdmlydHVhbE1hY2hpbmVzOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgIHdlYmhvb2s6CiAgICAgIGVuYWJsZWQ6IHRydWUKICBtZXRyaWNzU2VydmVyOgogICAgZW5hYmxlZDogZmFsc2UKICAgIG5vZGVzOiB0cnVlCiAgICBwb2RzOiB0cnVlCm5ldHdvcmtpbmc6CiAgYWR2YW5jZWQ6CiAgICBjbHVzdGVyRG9tYWluOiBjbHVzdGVyLmxvY2FsCiAgICBmYWxsYmFja0hvc3RDbHVzdGVyOiBmYWxzZQogICAgcHJveHlLdWJlbGV0czoKICAgICAgYnlIb3N0bmFtZTogdHJ1ZQogICAgICBieUlQOiB0cnVlCiAgcmVwbGljYXRlU2VydmljZXM6CiAgICBmcm9tSG9zdDogW10KICAgIHRvSG9zdDogW10KICByZXNvbHZlRE5TOiBbXQpwbHVnaW5zOiB7fQpwb2xpY2llczoKICBjZW50cmFsQWRtaXNzaW9uOgogICAgbXV0YXRpbmdXZWJob29rczogW10KICAgIHZhbGlkYXRpbmdXZWJob29rczogW10KICBsaW1pdFJhbmdlOgogICAgYW5ub3RhdGlvbnM6IHt9CiAgICBkZWZhdWx0OgogICAgICBjcHU6ICIxIgogICAgICBlcGhlbWVyYWwtc3RvcmFnZTogOEdpCiAgICAgIG1lbW9yeTogNTEyTWkKICAgIGRlZmF1bHRSZXF1ZXN0OgogICAgICBjcHU6IDEwMG0KICAgICAgZXBoZW1lcmFsLXN0b3JhZ2U6IDNHaQogICAgICBtZW1vcnk6IDEyOE1pCiAgICBlbmFibGVkOiBhdXRvCiAgICBsYWJlbHM6IHt9CiAgICBtYXg6IHt9CiAgICBtaW46IHt9CiAgbmV0d29ya1BvbGljeToKICAgIGFubm90YXRpb25zOiB7fQogICAgZW5hYmxlZDogZmFsc2UKICAgIGZhbGxiYWNrRG5zOiA4LjguOC44CiAgICBsYWJlbHM6IHt9CiAgICBvdXRnb2luZ0Nvbm5lY3Rpb25zOgogICAgICBpcEJsb2NrOgogICAgICAgIGNpZHI6IDAuMC4wLjAvMAogICAgICAgIGV4Y2VwdDoKICAgICAgICAtIDEwMC42NC4wLjAvMTAKICAgICAgICAtIDEyNy4wLjAuMC84CiAgICAgICAgLSAxMC4wLjAuMC84CiAgICAgICAgLSAxNzIuMTYuMC4wLzEyCiAgICAgICAgLSAxOTIuMTY4LjAuMC8xNgogICAgICBwbGF0Zm9ybTogdHJ1ZQogIHJlc291cmNlUXVvdGE6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGVuYWJsZWQ6IGF1dG8KICAgIGxhYmVsczoge30KICAgIHF1b3RhOgogICAgICBjb3VudC9jb25maWdtYXBzOiAxMDAKICAgICAgY291bnQvZW5kcG9pbnRzOiA0MAogICAgICBjb3VudC9wZXJzaXN0ZW50dm9sdW1lY2xhaW1zOiAyMAogICAgICBjb3VudC9wb2RzOiAyMAogICAgICBjb3VudC9zZWNyZXRzOiAxMDAKICAgICAgY291bnQvc2VydmljZXM6IDIwCiAgICAgIGxpbWl0cy5jcHU6IDIwCiAgICAgIGxpbWl0cy5lcGhlbWVyYWwtc3RvcmFnZTogMTYwR2kKICAgICAgbGltaXRzLm1lbW9yeTogNDBHaQogICAgICByZXF1ZXN0cy5jcHU6IDEwCiAgICAgIHJlcXVlc3RzLmVwaGVtZXJhbC1zdG9yYWdlOiA2MEdpCiAgICAgIHJlcXVlc3RzLm1lbW9yeTogMjBHaQogICAgICByZXF1ZXN0cy5zdG9yYWdlOiAxMDBHaQogICAgICBzZXJ2aWNlcy5sb2FkYmFsYW5jZXJzOiAxCiAgICAgIHNlcnZpY2VzLm5vZGVwb3J0czogMAogICAgc2NvcGVTZWxlY3RvcjoKICAgICAgbWF0Y2hFeHByZXNzaW9uczogW10KICAgIHNjb3BlczogW10KcmJhYzoKICBjbHVzdGVyUm9sZToKICAgIGVuYWJsZWQ6IGF1dG8KICAgIGV4dHJhUnVsZXM6IFtdCiAgICBvdmVyd3JpdGVSdWxlczogW10KICByb2xlOgogICAgZW5hYmxlZDogdHJ1ZQogICAgZXh0cmFSdWxlczoKICAgIC0gYXBpR3JvdXBzOgogICAgICAtICIiCiAgICAgIHJlc291cmNlczoKICAgICAgLSBlbmRwb2ludHMvcmVzdHJpY3RlZAogICAgICB2ZXJiczoKICAgICAgLSBjcmVhdGUKICAgIG92ZXJ3cml0ZVJ1bGVzOiBbXQpzeW5jOgogIGZyb21Ib3N0OgogICAgY29uZmlnTWFwczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgbWFwcGluZ3M6CiAgICAgICAgYnlOYW1lOiB7fQogICAgY3NpRHJpdmVyczoKICAgICAgZW5hYmxlZDogYXV0bwogICAgY3NpTm9kZXM6CiAgICAgIGVuYWJsZWQ6IGF1dG8KICAgIGNzaVN0b3JhZ2VDYXBhY2l0aWVzOgogICAgICBlbmFibGVkOiBhdXRvCiAgICBldmVudHM6CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgIGluZ3Jlc3NDbGFzc2VzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgbm9kZXM6CiAgICAgIGNsZWFySW1hZ2VTdGF0dXM6IGZhbHNlCiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgIHNlbGVjdG9yOgogICAgICAgIGFsbDogZmFsc2UKICAgICAgICBsYWJlbHM6IHt9CiAgICAgIHN5bmNCYWNrQ2hhbmdlczogZmFsc2UKICAgIHByaW9yaXR5Q2xhc3NlczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHJ1bnRpbWVDbGFzc2VzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgc2VjcmV0czoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgbWFwcGluZ3M6CiAgICAgICAgYnlOYW1lOiB7fQogICAgc3RvcmFnZUNsYXNzZXM6CiAgICAgIGVuYWJsZWQ6IGF1dG8KICAgIHZvbHVtZVNuYXBzaG90Q2xhc3NlczoKICAgICAgZW5hYmxlZDogZmFsc2UKICB0b0hvc3Q6CiAgICBjb25maWdNYXBzOgogICAgICBhbGw6IGZhbHNlCiAgICAgIGVuYWJsZWQ6IHRydWUKICAgIGVuZHBvaW50czoKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgaW5ncmVzc2VzOgogICAgICBlbmFibGVkOiB0cnVlCiAgICBuZXR3b3JrUG9saWNpZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBwZXJzaXN0ZW50Vm9sdW1lQ2xhaW1zOgogICAgICBlbmFibGVkOiB0cnVlCiAgICBwZXJzaXN0ZW50Vm9sdW1lczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHBvZERpc3J1cHRpb25CdWRnZXRzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgcG9kczoKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICBlbmZvcmNlVG9sZXJhdGlvbnM6IFtdCiAgICAgIHByaW9yaXR5Q2xhc3NOYW1lOiAiIgogICAgICByZXdyaXRlSG9zdHM6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICAgIGluaXRDb250YWluZXI6CiAgICAgICAgICBpbWFnZTogbGlicmFyeS9hbHBpbmU6My4yMAogICAgICAgICAgcmVzb3VyY2VzOgogICAgICAgICAgICBsaW1pdHM6CiAgICAgICAgICAgICAgY3B1OiAzMG0KICAgICAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgICAgICAgcmVxdWVzdHM6CiAgICAgICAgICAgICAgY3B1OiAzMG0KICAgICAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgcnVudGltZUNsYXNzTmFtZTogIiIKICAgICAgdHJhbnNsYXRlSW1hZ2U6IHt9CiAgICAgIHVzZVNlY3JldHNGb3JTQVRva2VuczogZmFsc2UKICAgIHByaW9yaXR5Q2xhc3NlczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHNlY3JldHM6CiAgICAgIGFsbDogZmFsc2UKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgc2VydmljZUFjY291bnRzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgc2VydmljZXM6CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgIHN0b3JhZ2VDbGFzc2VzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgdm9sdW1lU25hcHNob3RDb250ZW50czoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHZvbHVtZVNuYXBzaG90czoKICAgICAgZW5hYmxlZDogZmFsc2UKdGVsZW1ldHJ5OgogIGVuYWJsZWQ6IHRydWU= +kind: Secret +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: vc-config-defaults + namespace: syn-defaults +type: Opaque diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml new file mode 100644 index 0000000..9f13a1b --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +data: + coredns.yaml: "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: coredns\n\ + \ namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind:\ + \ ClusterRole\nmetadata:\n labels:\n kubernetes.io/bootstrapping: rbac-defaults\n\ + \ name: system:coredns\nrules:\n - apiGroups:\n - \"\"\n resources:\n\ + \ - endpoints\n - services\n - pods\n - namespaces\n verbs:\n\ + \ - list\n - watch\n - apiGroups:\n - discovery.k8s.io\n resources:\n\ + \ - endpointslices\n verbs:\n - list\n - watch\n---\napiVersion:\ + \ rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n annotations:\n\ + \ rbac.authorization.kubernetes.io/autoupdate: \"true\"\n labels:\n kubernetes.io/bootstrapping:\ + \ rbac-defaults\n name: system:coredns\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n\ + \ kind: ClusterRole\n name: system:coredns\nsubjects:\n - kind: ServiceAccount\n\ + \ name: coredns\n namespace: kube-system\n---\napiVersion: v1\nkind: ConfigMap\n\ + metadata:\n name: coredns\n namespace: kube-system\ndata:\n Corefile: |-\n\ + \ .:1053 {\n errors\n health\n ready\n rewrite\ + \ name regex .*\\.nodes\\.vcluster\\.com kubernetes.default.svc.cluster.local\n\ + \ kubernetes cluster.local in-addr.arpa ip6.arpa {\n pods insecure\n\ + \ fallthrough in-addr.arpa ip6.arpa\n }\n hosts /etc/NodeHosts\ + \ {\n ttl 60\n reload 15s\n fallthrough\n \ + \ }\n prometheus :9153\n forward . /etc/resolv.conf\n \ + \ cache 30\n loop\n loadbalance\n }\n \n import /etc/coredns/custom/*.server\n\ + \ NodeHosts: \"\"\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name:\ + \ coredns\n namespace: kube-system\n labels:\n k8s-app: vcluster-kube-dns\n\ + \ kubernetes.io/name: \"CoreDNS\"\nspec:\n replicas: 1\n strategy:\n type:\ + \ RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n selector:\n \ + \ matchLabels:\n k8s-app: vcluster-kube-dns\n template:\n metadata:\n\ + \ labels:\n k8s-app: vcluster-kube-dns\n spec:\n priorityClassName:\ + \ \"\"\n serviceAccountName: coredns\n nodeSelector:\n kubernetes.io/os:\ + \ linux\n topologySpreadConstraints:\n - labelSelector:\n \ + \ matchLabels:\n k8s-app: vcluster-kube-dns\n maxSkew:\ + \ 1\n topologyKey: kubernetes.io/hostname\n whenUnsatisfiable:\ + \ DoNotSchedule\n containers:\n - name: coredns\n image:\ + \ {{.IMAGE}}\n imagePullPolicy: IfNotPresent\n resources:\n\ + \ limits:\n cpu: 1000m\n memory: 170Mi\n\ + \ requests:\n cpu: 20m\n memory: 64Mi\n \ + \ args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n volumeMounts:\n\ + \ - name: config-volume\n mountPath: /etc/coredns\n \ + \ readOnly: true\n - name: custom-config-volume\n \ + \ mountPath: /etc/coredns/custom\n readOnly: true\n \ + \ securityContext:\n runAsNonRoot: true\n runAsUser:\ + \ {{.RUN_AS_USER}}\n runAsGroup: {{.RUN_AS_GROUP}}\n allowPrivilegeEscalation:\ + \ false\n capabilities:\n add:\n - NET_BIND_SERVICE\n\ + \ drop:\n - ALL\n readOnlyRootFilesystem:\ + \ true\n livenessProbe:\n httpGet:\n path: /health\n\ + \ port: 8080\n scheme: HTTP\n initialDelaySeconds:\ + \ 60\n periodSeconds: 10\n timeoutSeconds: 1\n \ + \ successThreshold: 1\n failureThreshold: 3\n readinessProbe:\n\ + \ httpGet:\n path: /ready\n port: 8181\n\ + \ scheme: HTTP\n initialDelaySeconds: 0\n periodSeconds:\ + \ 2\n timeoutSeconds: 1\n successThreshold: 1\n \ + \ failureThreshold: 3\n dnsPolicy: Default\n volumes:\n -\ + \ name: config-volume\n configMap:\n name: coredns\n \ + \ items:\n - key: Corefile\n path: Corefile\n\ + \ - key: NodeHosts\n path: NodeHosts\n - name:\ + \ custom-config-volume\n configMap:\n name: coredns-custom\n\ + \ optional: true\n---\napiVersion: v1\nkind: Service\nmetadata:\n \ + \ name: kube-dns\n namespace: kube-system\n annotations:\n prometheus.io/port:\ + \ \"9153\"\n prometheus.io/scrape: \"true\"\n labels:\n k8s-app: vcluster-kube-dns\n\ + \ kubernetes.io/cluster-service: \"true\"\n kubernetes.io/name: \"CoreDNS\"\ + \nspec:\n type: ClusterIP\n selector:\n k8s-app: vcluster-kube-dns\n ports:\n\ + \ - name: dns\n port: 53\n targetPort: 1053\n protocol: UDP\n\ + \ - name: dns-tcp\n port: 53\n targetPort: 1053\n protocol:\ + \ TCP\n - name: metrics\n port: 9153\n protocol: TCP" +kind: ConfigMap +metadata: + name: vc-coredns-defaults + namespace: syn-defaults diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/headless-service.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/headless-service.yaml new file mode 100644 index 0000000..fc8be61 --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/headless-service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: defaults-headless + namespace: syn-defaults +spec: + clusterIP: None + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + publishNotReadyAddresses: true + selector: + app: vcluster + release: defaults diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/ingress.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/ingress.yaml new file mode 100644 index 0000000..9d09d03 --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/ingress.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/ssl-passthrough: 'true' + nginx.ingress.kubernetes.io/ssl-redirect: 'true' + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: defaults + namespace: syn-defaults +spec: + rules: + - host: null + http: + paths: + - backend: + service: + name: defaults + port: + name: https + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - null + secretName: defaults-tls diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/role.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/role.yaml new file mode 100644 index 0000000..b634d46 --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/role.yaml @@ -0,0 +1,85 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: vc-defaults + namespace: syn-defaults +rules: + - apiGroups: + - '' + resources: + - configmaps + - secrets + - services + - pods + - pods/attach + - pods/portforward + - pods/exec + - persistentvolumeclaims + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods/status + - pods/ephemeralcontainers + verbs: + - patch + - update + - apiGroups: + - apps + resources: + - statefulsets + - replicasets + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints + - events + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints + verbs: + - create + - delete + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints/restricted + verbs: + - create diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml new file mode 100644 index 0000000..2680aff --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: vc-defaults + namespace: syn-defaults +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vc-defaults +subjects: + - kind: ServiceAccount + name: vc-defaults + namespace: syn-defaults diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/service.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/service.yaml new file mode 100644 index 0000000..96a8f21 --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + vcluster.loft.sh/service: 'true' + name: defaults + namespace: syn-defaults +spec: + ports: + - name: https + nodePort: 0 + port: 443 + protocol: TCP + targetPort: 8443 + - name: kubelet + nodePort: 0 + port: 10250 + protocol: TCP + targetPort: 8443 + selector: + app: vcluster + release: defaults + type: ClusterIP diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml new file mode 100644 index 0000000..d110104 --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: vc-defaults + namespace: syn-defaults diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/statefulset.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/statefulset.yaml new file mode 100644 index 0000000..ab6672d --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/statefulset.yaml @@ -0,0 +1,148 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: defaults + namespace: syn-defaults +spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + podManagementPolicy: Parallel + replicas: 1 + selector: + matchLabels: + app: vcluster + release: defaults + serviceName: defaults-headless + template: + metadata: + annotations: + vClusterConfigHash: 9d347a576d42fa8f2e16fee713ec9f923ca58346f60e274590a48450a6a557e1 + labels: + app: vcluster + release: defaults + spec: + containers: + - env: + - name: VCLUSTER_NAME + value: defaults + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: ghcr.io/loft-sh/vcluster-oss:0.24.1 + imagePullPolicy: null + livenessProbe: + failureThreshold: 60 + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 60 + periodSeconds: 2 + timeoutSeconds: 3 + name: syncer + readinessProbe: + failureThreshold: 60 + httpGet: + path: /readyz + port: 8443 + scheme: HTTPS + periodSeconds: 2 + timeoutSeconds: 3 + resources: + limits: + ephemeral-storage: 8Gi + memory: 2Gi + requests: + cpu: 200m + ephemeral-storage: 400Mi + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + startupProbe: + failureThreshold: 300 + httpGet: + path: /readyz + port: 8443 + scheme: HTTPS + periodSeconds: 6 + timeoutSeconds: 3 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /binaries + name: binaries + - mountPath: /pki + name: certs + - mountPath: /.cache/helm + name: helm-cache + - mountPath: /etc/rancher + name: k3s-config + - mountPath: /var/vcluster + name: vcluster-config + - mountPath: /tmp + name: tmp + - mountPath: /manifests/coredns + name: coredns + readOnly: true + enableServiceLinks: true + initContainers: + - args: + - -c + - cp /bin/k3s /binaries/k3s + command: + - /bin/sh + image: docker.io/rancher/k3s:v1.32.1-k3s1 + name: vcluster + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 40m + memory: 64Mi + securityContext: {} + volumeMounts: + - mountPath: /binaries + name: binaries + serviceAccountName: vc-defaults + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: helm-cache + - emptyDir: {} + name: binaries + - emptyDir: {} + name: tmp + - emptyDir: {} + name: certs + - emptyDir: {} + name: k3s-config + - name: vcluster-config + secret: + secretName: vc-config-defaults + - configMap: + name: vc-coredns-defaults + name: coredns + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml new file mode 100644 index 0000000..c1417be --- /dev/null +++ b/tests/golden/defaults/defaults/defaults/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: defaults + name: vc-workload-defaults + namespace: syn-defaults diff --git a/tests/golden/defaults/defaults/defaults/10_cluster.yaml b/tests/golden/defaults/defaults/defaults/10_cluster.yaml deleted file mode 100644 index 2c6933b..0000000 --- a/tests/golden/defaults/defaults/defaults/10_cluster.yaml +++ /dev/null @@ -1,519 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: vc-defaults - name: vc-defaults - namespace: syn-defaults ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: {} - labels: - name: defaults - name: defaults - namespace: syn-defaults -rules: - - apiGroups: - - '' - resources: - - configmaps - - secrets - - services - - pods - - pods/attach - - pods/portforward - - pods/exec - - endpoints - - persistentvolumeclaims - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - - pods/log - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - - replicasets - - deployments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: defaults - name: defaults - namespace: syn-defaults -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: defaults -subjects: - - kind: ServiceAccount - name: vc-defaults - namespace: syn-defaults ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: {} - labels: - name: syn-vcluster-defaults - name: syn-vcluster-defaults -rules: - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: {} - labels: - name: syn-vcluster-defaults - name: syn-vcluster-defaults -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: syn-vcluster-defaults -subjects: - - kind: ServiceAccount - name: vc-defaults - namespace: syn-defaults ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: defaults - name: defaults - namespace: syn-defaults -spec: - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: vcluster - release: defaults - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: defaults-headless - name: defaults-headless - namespace: syn-defaults -spec: - clusterIP: None - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: vcluster - release: defaults ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - annotations: {} - labels: - name: defaults - name: defaults - namespace: syn-defaults -spec: - replicas: 1 - selector: - matchLabels: - app: vcluster - release: defaults - serviceName: defaults-headless - template: - metadata: - labels: - app: vcluster - release: defaults - spec: - affinity: {} - containers: - - args: - - server - - --write-kubeconfig=/data/k3s-config/kube-config.yaml - - --data-dir=/data - - --disable=traefik,servicelb,metrics-server,local-storage,coredns - - --disable-network-policy - - --disable-agent - - --disable-scheduler - - --disable-cloud-controller - - --flannel-backend=none - - --service-cidr=172.30.0.0/16 - - --kube-controller-manager-arg=controllers=*,-nodeipam,-nodelifecycle,-persistentvolume-binder,-attachdetach,-persistentvolume-expander,-cloud-node-lifecycle - - --tls-san=defaults.syn-defaults.svc.cluster.local - - --tls-san=defaults.syn-defaults.svc - - --tls-san=defaults.syn-defaults - - --tls-san=defaults - command: - - /bin/k3s - env: [] - image: docker.io/rancher/k3s:v1.25.15-k3s1 - name: vcluster - resources: - limits: - memory: 2Gi - requests: - cpu: 200m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/rancher - name: etc-rancher - - args: - - --name=defaults - - --out-kube-config-secret=vc-defaults-kubeconfig - - --sync=ingresses - - --tls-san=defaults.syn-defaults.svc.cluster.local - - --tls-san=defaults.syn-defaults.svc - - --tls-san=defaults.syn-defaults - - --tls-san=defaults - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: docker.io/loftsh/vcluster:0.14.1 - livenessProbe: - failureThreshold: 10 - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 60 - periodSeconds: 2 - name: syncer - readinessProbe: - failureThreshold: 30 - httpGet: - path: /readyz - port: 8443 - scheme: HTTPS - periodSeconds: 2 - resources: - limits: - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /data - name: data - readOnly: true - - mountPath: /manifests/coredns - name: coredns - readOnly: true - nodeSelector: {} - serviceAccountName: vc-defaults - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - configMap: - defaultMode: 420 - name: vc-defaults-coredns - name: coredns - - emptyDir: {} - name: etc-rancher - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - storageClassName: null ---- -apiVersion: v1 -data: - manifests: |+ - --- - -kind: ConfigMap -metadata: - annotations: {} - labels: - name: defaults-init-manifests - name: defaults-init-manifests - namespace: syn-defaults ---- -apiVersion: v1 -data: - coredns.yaml: | - apiVersion: v1 - kind: ServiceAccount - metadata: - name: coredns - namespace: kube-system - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - rules: - - apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:coredns - subjects: - - kind: ServiceAccount - name: coredns - namespace: kube-system - --- - apiVersion: v1 - kind: ConfigMap - metadata: - name: coredns - namespace: kube-system - data: - Corefile: | - .:1053 { - {{.LOG_IN_DEBUG}} - errors - health - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - } - hosts /etc/coredns/NodeHosts { - ttl 60 - reload 15s - fallthrough - } - prometheus :9153 - forward . /etc/resolv.conf - cache 30 - loop - reload - loadbalance - } - - import /etc/coredns/custom/*.server - NodeHosts: "" - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: coredns - namespace: kube-system - labels: - k8s-app: kube-dns - kubernetes.io/name: "CoreDNS" - spec: - replicas: 1 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - k8s-app: kube-dns - template: - metadata: - labels: - k8s-app: kube-dns - spec: - priorityClassName: "system-cluster-critical" - serviceAccountName: coredns - nodeSelector: - kubernetes.io/os: linux - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - k8s-app: kube-dns - containers: - - name: coredns - image: {{.IMAGE}} - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 1000m - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - args: [ "-conf", "/etc/coredns/Corefile" ] - volumeMounts: - - name: config-volume - mountPath: /etc/coredns - readOnly: true - - name: custom-config-volume - mountPath: /etc/coredns/custom - readOnly: true - ports: - - containerPort: 1053 - name: dns - protocol: UDP - - containerPort: 1053 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - securityContext: - runAsNonRoot: true - runAsUser: {{.RUN_AS_USER}} - runAsGroup: {{.RUN_AS_GROUP}} - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - livenessProbe: - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 2 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: Default - volumes: - - name: config-volume - configMap: - name: coredns - items: - - key: Corefile - path: Corefile - - key: NodeHosts - path: NodeHosts - - name: custom-config-volume - configMap: - name: coredns-custom - optional: true - --- - apiVersion: v1 - kind: Service - metadata: - name: kube-dns - namespace: kube-system - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" - labels: - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - spec: - selector: - k8s-app: kube-dns - type: ClusterIP - ports: - - name: dns - port: 53 - targetPort: 1053 - protocol: UDP - - name: dns-tcp - port: 53 - targetPort: 1053 - protocol: TCP - - name: metrics - port: 9153 - protocol: TCP -kind: ConfigMap -metadata: - annotations: {} - labels: - name: vc-defaults-coredns - name: vc-defaults-coredns - namespace: syn-defaults diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/config-secret.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/config-secret.yaml new file mode 100644 index 0000000..4cc0689 --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/config-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + config.yaml: Y29udHJvbFBsYW5lOgogIGFkdmFuY2VkOgogICAgZGVmYXVsdEltYWdlUmVnaXN0cnk6ICIiCiAgICBnbG9iYWxNZXRhZGF0YToKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICBoZWFkbGVzc1NlcnZpY2U6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBsYWJlbHM6IHt9CiAgICBzZXJ2aWNlQWNjb3VudDoKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgaW1hZ2VQdWxsU2VjcmV0czogW10KICAgICAgbGFiZWxzOiB7fQogICAgICBuYW1lOiAiIgogICAgdmlydHVhbFNjaGVkdWxlcjoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHdvcmtsb2FkU2VydmljZUFjY291bnQ6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGltYWdlUHVsbFNlY3JldHM6IFtdCiAgICAgIGxhYmVsczoge30KICAgICAgbmFtZTogIiIKICBiYWNraW5nU3RvcmU6CiAgICBkYXRhYmFzZToKICAgICAgZW1iZWRkZWQ6CiAgICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgZXh0ZXJuYWw6CiAgICAgICAgY2FGaWxlOiAiIgogICAgICAgIGNlcnRGaWxlOiAiIgogICAgICAgIGNvbm5lY3RvcjogIiIKICAgICAgICBkYXRhU291cmNlOiAiIgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgICAga2V5RmlsZTogIiIKICAgIGV0Y2Q6CiAgICAgIGRlcGxveToKICAgICAgICBlbmFibGVkOiBmYWxzZQogICAgICAgIGhlYWRsZXNzU2VydmljZToKICAgICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgIHNlcnZpY2U6CiAgICAgICAgICBhbm5vdGF0aW9uczoge30KICAgICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgICBzdGF0ZWZ1bFNldDoKICAgICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgICAgZW5hYmxlU2VydmljZUxpbmtzOiB0cnVlCiAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgICBlbnY6IFtdCiAgICAgICAgICBleHRyYUFyZ3M6IFtdCiAgICAgICAgICBoaWdoQXZhaWxhYmlsaXR5OgogICAgICAgICAgICByZXBsaWNhczogMQogICAgICAgICAgaW1hZ2U6CiAgICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgICAgcmVwb3NpdG9yeTogZXRjZAogICAgICAgICAgICB0YWc6IDMuNS4xNy0wCiAgICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgICAgICBsYWJlbHM6IHt9CiAgICAgICAgICBwZXJzaXN0ZW5jZToKICAgICAgICAgICAgYWRkVm9sdW1lTW91bnRzOiBbXQogICAgICAgICAgICBhZGRWb2x1bWVzOiBbXQogICAgICAgICAgICB2b2x1bWVDbGFpbToKICAgICAgICAgICAgICBhY2Nlc3NNb2RlczoKICAgICAgICAgICAgICAtIFJlYWRXcml0ZU9uY2UKICAgICAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgICAgICAgcmV0ZW50aW9uUG9saWN5OiBSZXRhaW4KICAgICAgICAgICAgICBzaXplOiA1R2kKICAgICAgICAgICAgICBzdG9yYWdlQ2xhc3M6ICIiCiAgICAgICAgICAgIHZvbHVtZUNsYWltVGVtcGxhdGVzOiBbXQogICAgICAgICAgcG9kczoKICAgICAgICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgICAgICAgIGxhYmVsczoge30KICAgICAgICAgIHJlc291cmNlczoKICAgICAgICAgICAgcmVxdWVzdHM6CiAgICAgICAgICAgICAgY3B1OiAyMG0KICAgICAgICAgICAgICBtZW1vcnk6IDE1ME1pCiAgICAgICAgICBzY2hlZHVsaW5nOgogICAgICAgICAgICBhZmZpbml0eToge30KICAgICAgICAgICAgbm9kZVNlbGVjdG9yOiB7fQogICAgICAgICAgICBwb2RNYW5hZ2VtZW50UG9saWN5OiBQYXJhbGxlbAogICAgICAgICAgICBwcmlvcml0eUNsYXNzTmFtZTogIiIKICAgICAgICAgICAgdG9sZXJhdGlvbnM6IFtdCiAgICAgICAgICAgIHRvcG9sb2d5U3ByZWFkQ29uc3RyYWludHM6IFtdCiAgICAgICAgICBzZWN1cml0eToKICAgICAgICAgICAgY29udGFpbmVyU2VjdXJpdHlDb250ZXh0OiB7fQogICAgICAgICAgICBwb2RTZWN1cml0eUNvbnRleHQ6IHt9CiAgICAgIGVtYmVkZGVkOgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgICAgbWlncmF0ZUZyb21EZXBsb3llZEV0Y2Q6IGZhbHNlCiAgY29yZWRuczoKICAgIGRlcGxveW1lbnQ6CiAgICAgIGFmZmluaXR5OiB7fQogICAgICBhbm5vdGF0aW9uczoge30KICAgICAgaW1hZ2U6ICIiCiAgICAgIGxhYmVsczoge30KICAgICAgbm9kZVNlbGVjdG9yOiB7fQogICAgICBwb2RzOgogICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgIGxhYmVsczoge30KICAgICAgcmVwbGljYXM6IDEKICAgICAgcmVzb3VyY2VzOgogICAgICAgIGxpbWl0czoKICAgICAgICAgIGNwdTogMTAwMG0KICAgICAgICAgIG1lbW9yeTogMTcwTWkKICAgICAgICByZXF1ZXN0czoKICAgICAgICAgIGNwdTogMjBtCiAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgdG9sZXJhdGlvbnM6IFtdCiAgICAgIHRvcG9sb2d5U3ByZWFkQ29uc3RyYWludHM6CiAgICAgIC0gbGFiZWxTZWxlY3RvcjoKICAgICAgICAgIG1hdGNoTGFiZWxzOgogICAgICAgICAgICBrOHMtYXBwOiB2Y2x1c3Rlci1rdWJlLWRucwogICAgICAgIG1heFNrZXc6IDEKICAgICAgICB0b3BvbG9neUtleToga3ViZXJuZXRlcy5pby9ob3N0bmFtZQogICAgICAgIHdoZW5VbnNhdGlzZmlhYmxlOiBEb05vdFNjaGVkdWxlCiAgICBlbWJlZGRlZDogZmFsc2UKICAgIGVuYWJsZWQ6IHRydWUKICAgIG92ZXJ3cml0ZUNvbmZpZzogIiIKICAgIG92ZXJ3cml0ZU1hbmlmZXN0czogIiIKICAgIHByaW9yaXR5Q2xhc3NOYW1lOiAiIgogICAgc2VydmljZToKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgIGxhYmVsczoge30KICAgICAgc3BlYzoKICAgICAgICB0eXBlOiBDbHVzdGVySVAKICBkaXN0cm86CiAgICBrMHM6CiAgICAgIGNvbW1hbmQ6IFtdCiAgICAgIGNvbmZpZzogIiIKICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgZXh0cmFBcmdzOiBbXQogICAgICBpbWFnZToKICAgICAgICByZWdpc3RyeTogIiIKICAgICAgICByZXBvc2l0b3J5OiBrMHNwcm9qZWN0L2swcwogICAgICAgIHRhZzogdjEuMzAuMi1rMHMuMAogICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIHJlc291cmNlczoKICAgICAgICBsaW1pdHM6CiAgICAgICAgICBjcHU6IDEwMG0KICAgICAgICAgIG1lbW9yeTogMjU2TWkKICAgICAgICByZXF1ZXN0czoKICAgICAgICAgIGNwdTogNDBtCiAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgc2VjdXJpdHlDb250ZXh0OiB7fQogICAgazNzOgogICAgICBjb21tYW5kOiBbXQogICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGV4dHJhQXJnczoKICAgICAgLSAtLWt1YmUtYXBpc2VydmVyLWFyZz1vaWRjLWlzc3Vlci11cmw9aHR0cHM6Ly9pZC5sb2NhbC9hdXRoL3JlYWxtcy9sb2NhbAogICAgICAtIC0ta3ViZS1hcGlzZXJ2ZXItYXJnPW9pZGMtY2xpZW50LWlkPWxvY2FsCiAgICAgIC0gLS1rdWJlLWFwaXNlcnZlci1hcmc9b2lkYy11c2VybmFtZS1jbGFpbT1lbWFpbAogICAgICAtIC0ta3ViZS1hcGlzZXJ2ZXItYXJnPW9pZGMtZ3JvdXBzLWNsYWltPWdyb3VwcwogICAgICBpbWFnZToKICAgICAgICByZWdpc3RyeTogZG9ja2VyLmlvCiAgICAgICAgcmVwb3NpdG9yeTogcmFuY2hlci9rM3MKICAgICAgICB0YWc6IHYxLjMyLjEtazNzMQogICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIHJlc291cmNlczoKICAgICAgICBsaW1pdHM6CiAgICAgICAgICBjcHU6IDEwMG0KICAgICAgICAgIG1lbW9yeTogMjU2TWkKICAgICAgICByZXF1ZXN0czoKICAgICAgICAgIGNwdTogNDBtCiAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgc2VjdXJpdHlDb250ZXh0OiB7fQogICAgazhzOgogICAgICBhcGlTZXJ2ZXI6CiAgICAgICAgY29tbWFuZDogW10KICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgZXh0cmFBcmdzOiBbXQogICAgICAgIGltYWdlOgogICAgICAgICAgcmVnaXN0cnk6IHJlZ2lzdHJ5Lms4cy5pbwogICAgICAgICAgcmVwb3NpdG9yeToga3ViZS1hcGlzZXJ2ZXIKICAgICAgICAgIHRhZzogdjEuMzIuMQogICAgICAgIGltYWdlUHVsbFBvbGljeTogIiIKICAgICAgY29udHJvbGxlck1hbmFnZXI6CiAgICAgICAgY29tbWFuZDogW10KICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgZXh0cmFBcmdzOiBbXQogICAgICAgIGltYWdlOgogICAgICAgICAgcmVnaXN0cnk6IHJlZ2lzdHJ5Lms4cy5pbwogICAgICAgICAgcmVwb3NpdG9yeToga3ViZS1jb250cm9sbGVyLW1hbmFnZXIKICAgICAgICAgIHRhZzogdjEuMzIuMQogICAgICAgIGltYWdlUHVsbFBvbGljeTogIiIKICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgZW52OiBbXQogICAgICByZXNvdXJjZXM6CiAgICAgICAgbGltaXRzOgogICAgICAgICAgY3B1OiAxMDBtCiAgICAgICAgICBtZW1vcnk6IDI1Nk1pCiAgICAgICAgcmVxdWVzdHM6CiAgICAgICAgICBjcHU6IDQwbQogICAgICAgICAgbWVtb3J5OiA2NE1pCiAgICAgIHNjaGVkdWxlcjoKICAgICAgICBjb21tYW5kOiBbXQogICAgICAgIGV4dHJhQXJnczogW10KICAgICAgICBpbWFnZToKICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgIHJlcG9zaXRvcnk6IGt1YmUtc2NoZWR1bGVyCiAgICAgICAgICB0YWc6IHYxLjMyLjEKICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIHNlY3VyaXR5Q29udGV4dDoge30KICAgICAgdmVyc2lvbjogIiIKICBpbmdyZXNzOgogICAgYW5ub3RhdGlvbnM6CiAgICAgIGNlcnQtbWFuYWdlci5pby9jbHVzdGVyLWlzc3VlcjogbGV0c2VuY3J5cHQtcHJvZHVjdGlvbgogICAgICBuZ2lueC5pbmdyZXNzLmt1YmVybmV0ZXMuaW8vYmFja2VuZC1wcm90b2NvbDogSFRUUFMKICAgICAgbmdpbnguaW5ncmVzcy5rdWJlcm5ldGVzLmlvL3NzbC1wYXNzdGhyb3VnaDogInRydWUiCiAgICAgIG5naW54LmluZ3Jlc3Mua3ViZXJuZXRlcy5pby9zc2wtcmVkaXJlY3Q6ICJ0cnVlIgogICAgZW5hYmxlZDogdHJ1ZQogICAgaG9zdDogdGVzdGNsdXN0ZXIubG9jYWwKICAgIGxhYmVsczoge30KICAgIHBhdGhUeXBlOiBJbXBsZW1lbnRhdGlvblNwZWNpZmljCiAgICBzcGVjOgogICAgICB0bHM6CiAgICAgIC0gaG9zdHM6CiAgICAgICAgLSB0ZXN0Y2x1c3Rlci5sb2NhbAogICAgICAgIHNlY3JldE5hbWU6IG9pZGMtdGxzCiAgcHJveHk6CiAgICBiaW5kQWRkcmVzczogMC4wLjAuMAogICAgZXh0cmFTQU5zOiBbXQogICAgcG9ydDogODQ0MwogIHNlcnZpY2U6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGVuYWJsZWQ6IHRydWUKICAgIGh0dHBzTm9kZVBvcnQ6IDAKICAgIGt1YmVsZXROb2RlUG9ydDogMAogICAgbGFiZWxzOiB7fQogICAgc3BlYzoKICAgICAgdHlwZTogQ2x1c3RlcklQCiAgc2VydmljZU1vbml0b3I6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBsYWJlbHM6IHt9CiAgc3RhdGVmdWxTZXQ6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGFyZ3M6IFtdCiAgICBjb21tYW5kOiBbXQogICAgZW5hYmxlU2VydmljZUxpbmtzOiB0cnVlCiAgICBlbnY6IFtdCiAgICBoaWdoQXZhaWxhYmlsaXR5OgogICAgICBsZWFzZUR1cmF0aW9uOiA2MAogICAgICByZW5ld0RlYWRsaW5lOiA0MAogICAgICByZXBsaWNhczogMQogICAgICByZXRyeVBlcmlvZDogMTUKICAgIGltYWdlOgogICAgICByZWdpc3RyeTogZ2hjci5pbwogICAgICByZXBvc2l0b3J5OiBsb2Z0LXNoL3ZjbHVzdGVyLW9zcwogICAgICB0YWc6IDAuMjQuMQogICAgaW1hZ2VQdWxsUG9saWN5OiAiIgogICAgbGFiZWxzOiB7fQogICAgcGVyc2lzdGVuY2U6CiAgICAgIGFkZFZvbHVtZU1vdW50czogW10KICAgICAgYWRkVm9sdW1lczogW10KICAgICAgYmluYXJpZXNWb2x1bWU6CiAgICAgIC0gZW1wdHlEaXI6IHt9CiAgICAgICAgbmFtZTogYmluYXJpZXMKICAgICAgZGF0YVZvbHVtZTogW10KICAgICAgdm9sdW1lQ2xhaW06CiAgICAgICAgYWNjZXNzTW9kZXM6CiAgICAgICAgLSBSZWFkV3JpdGVPbmNlCiAgICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgICByZXRlbnRpb25Qb2xpY3k6IFJldGFpbgogICAgICAgIHNpemU6IDVHaQogICAgICB2b2x1bWVDbGFpbVRlbXBsYXRlczogW10KICAgIHBvZHM6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBsYWJlbHM6IHt9CiAgICBwcm9iZXM6CiAgICAgIGxpdmVuZXNzUHJvYmU6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICByZWFkaW5lc3NQcm9iZToKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHN0YXJ0dXBQcm9iZToKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICByZXNvdXJjZXM6CiAgICAgIGxpbWl0czoKICAgICAgICBlcGhlbWVyYWwtc3RvcmFnZTogOEdpCiAgICAgICAgbWVtb3J5OiAyR2kKICAgICAgcmVxdWVzdHM6CiAgICAgICAgY3B1OiAyMDBtCiAgICAgICAgZXBoZW1lcmFsLXN0b3JhZ2U6IDQwME1pCiAgICAgICAgbWVtb3J5OiAyNTZNaQogICAgc2NoZWR1bGluZzoKICAgICAgYWZmaW5pdHk6IHt9CiAgICAgIG5vZGVTZWxlY3Rvcjoge30KICAgICAgcG9kTWFuYWdlbWVudFBvbGljeTogUGFyYWxsZWwKICAgICAgcHJpb3JpdHlDbGFzc05hbWU6ICIiCiAgICAgIHRvbGVyYXRpb25zOiBbXQogICAgICB0b3BvbG9neVNwcmVhZENvbnN0cmFpbnRzOiBbXQogICAgc2VjdXJpdHk6CiAgICAgIGNvbnRhaW5lclNlY3VyaXR5Q29udGV4dDoKICAgICAgICBhbGxvd1ByaXZpbGVnZUVzY2FsYXRpb246IGZhbHNlCiAgICAgIHBvZFNlY3VyaXR5Q29udGV4dDoge30KICAgIHdvcmtpbmdEaXI6ICIiCmV4cGVyaW1lbnRhbDoKICBkZXBsb3k6CiAgICBob3N0OgogICAgICBtYW5pZmVzdHM6ICIiCiAgICAgIG1hbmlmZXN0c1RlbXBsYXRlOiAiIgogICAgdmNsdXN0ZXI6CiAgICAgIGhlbG06IFtdCiAgICAgIG1hbmlmZXN0czogfC0KICAgICAgICBjbHVzdGVyLWFkbWluOgogICAgICAgICAga2luZDogQ2x1c3RlclJvbGVCaW5kaW5nCiAgICAgICAgICBhcGlWZXJzaW9uOiByYmFjLmF1dGhvcml6YXRpb24uazhzLmlvL3YxCiAgICAgICAgICBtZXRhZGF0YToKICAgICAgICAgICAgbmFtZTogb2lkYy1jbHVzdGVyLWFkbWluCiAgICAgICAgICByb2xlUmVmOgogICAgICAgICAgICBhcGlHcm91cDogcmJhYy5hdXRob3JpemF0aW9uLms4cy5pbwogICAgICAgICAgICBraW5kOiBDbHVzdGVyUm9sZQogICAgICAgICAgICBuYW1lOiBjbHVzdGVyLWFkbWluCiAgICAgICAgICBzdWJqZWN0czoKICAgICAgICAgICAgLSBraW5kOiBHcm91cAogICAgICAgICAgICAgIG5hbWU6IGFkbWluCiAgICAgIG1hbmlmZXN0c1RlbXBsYXRlOiAiIgogIGdlbmVyaWNTeW5jOgogICAgY2x1c3RlclJvbGU6CiAgICAgIGV4dHJhUnVsZXM6IFtdCiAgICByb2xlOgogICAgICBleHRyYVJ1bGVzOiBbXQogIGlzb2xhdGVkQ29udHJvbFBsYW5lOgogICAgaGVhZGxlc3M6IGZhbHNlCiAgbXVsdGlOYW1lc3BhY2VNb2RlOgogICAgZW5hYmxlZDogZmFsc2UKICByZXVzZU5hbWVzcGFjZTogZmFsc2UKICBzeW5jU2V0dGluZ3M6CiAgICBkaXNhYmxlU3luYzogZmFsc2UKICAgIHJld3JpdGVLdWJlcm5ldGVzU2VydmljZTogZmFsc2UKICAgIHNldE93bmVyOiB0cnVlCiAgICB0YXJnZXROYW1lc3BhY2U6ICIiCmV4cG9ydEt1YmVDb25maWc6CiAgY29udGV4dDogIiIKICBpbnNlY3VyZTogZmFsc2UKICBzZWNyZXQ6CiAgICBuYW1lOiAiIgogICAgbmFtZXNwYWNlOiAiIgogIHNlcnZlcjogaHR0cHM6Ly90ZXN0Y2x1c3Rlci5sb2NhbAogIHNlcnZpY2VBY2NvdW50OgogICAgY2x1c3RlclJvbGU6IGNsdXN0ZXItYWRtaW4KICAgIG5hbWU6IG9pZGMtYWRtaW4KICAgIG5hbWVzcGFjZTogIiIKZXh0ZXJuYWw6IHt9CmludGVncmF0aW9uczoKICBjZXJ0TWFuYWdlcjoKICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBzeW5jOgogICAgICBmcm9tSG9zdDoKICAgICAgICBjbHVzdGVySXNzdWVyczoKICAgICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgICAgIHNlbGVjdG9yOgogICAgICAgICAgICBsYWJlbHM6IHt9CiAgICAgIHRvSG9zdDoKICAgICAgICBjZXJ0aWZpY2F0ZXM6CiAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgaXNzdWVyczoKICAgICAgICAgIGVuYWJsZWQ6IHRydWUKICBleHRlcm5hbFNlY3JldHM6CiAgICBlbmFibGVkOiBmYWxzZQogICAgc3luYzoKICAgICAgY2x1c3RlclN0b3JlczoKICAgICAgICBlbmFibGVkOiBmYWxzZQogICAgICAgIHNlbGVjdG9yOgogICAgICAgICAgbGFiZWxzOiB7fQogICAgICBleHRlcm5hbFNlY3JldHM6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICBzdG9yZXM6CiAgICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHdlYmhvb2s6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAga3ViZVZpcnQ6CiAgICBlbmFibGVkOiBmYWxzZQogICAgc3luYzoKICAgICAgZGF0YVZvbHVtZXM6CiAgICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgdmlydHVhbE1hY2hpbmVDbG9uZXM6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICB2aXJ0dWFsTWFjaGluZUluc3RhbmNlTWlncmF0aW9uczoKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHZpcnR1YWxNYWNoaW5lSW5zdGFuY2VzOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgdmlydHVhbE1hY2hpbmVQb29sczoKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHZpcnR1YWxNYWNoaW5lczoKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICB3ZWJob29rOgogICAgICBlbmFibGVkOiB0cnVlCiAgbWV0cmljc1NlcnZlcjoKICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBub2RlczogdHJ1ZQogICAgcG9kczogdHJ1ZQpuZXR3b3JraW5nOgogIGFkdmFuY2VkOgogICAgY2x1c3RlckRvbWFpbjogY2x1c3Rlci5sb2NhbAogICAgZmFsbGJhY2tIb3N0Q2x1c3RlcjogZmFsc2UKICAgIHByb3h5S3ViZWxldHM6CiAgICAgIGJ5SG9zdG5hbWU6IHRydWUKICAgICAgYnlJUDogdHJ1ZQogIHJlcGxpY2F0ZVNlcnZpY2VzOgogICAgZnJvbUhvc3Q6IFtdCiAgICB0b0hvc3Q6IFtdCiAgcmVzb2x2ZUROUzogW10KcGx1Z2luczoge30KcG9saWNpZXM6CiAgY2VudHJhbEFkbWlzc2lvbjoKICAgIG11dGF0aW5nV2ViaG9va3M6IFtdCiAgICB2YWxpZGF0aW5nV2ViaG9va3M6IFtdCiAgbGltaXRSYW5nZToKICAgIGFubm90YXRpb25zOiB7fQogICAgZGVmYXVsdDoKICAgICAgY3B1OiAiMSIKICAgICAgZXBoZW1lcmFsLXN0b3JhZ2U6IDhHaQogICAgICBtZW1vcnk6IDUxMk1pCiAgICBkZWZhdWx0UmVxdWVzdDoKICAgICAgY3B1OiAxMDBtCiAgICAgIGVwaGVtZXJhbC1zdG9yYWdlOiAzR2kKICAgICAgbWVtb3J5OiAxMjhNaQogICAgZW5hYmxlZDogYXV0bwogICAgbGFiZWxzOiB7fQogICAgbWF4OiB7fQogICAgbWluOiB7fQogIG5ldHdvcmtQb2xpY3k6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBmYWxsYmFja0RuczogOC44LjguOAogICAgbGFiZWxzOiB7fQogICAgb3V0Z29pbmdDb25uZWN0aW9uczoKICAgICAgaXBCbG9jazoKICAgICAgICBjaWRyOiAwLjAuMC4wLzAKICAgICAgICBleGNlcHQ6CiAgICAgICAgLSAxMDAuNjQuMC4wLzEwCiAgICAgICAgLSAxMjcuMC4wLjAvOAogICAgICAgIC0gMTAuMC4wLjAvOAogICAgICAgIC0gMTcyLjE2LjAuMC8xMgogICAgICAgIC0gMTkyLjE2OC4wLjAvMTYKICAgICAgcGxhdGZvcm06IHRydWUKICByZXNvdXJjZVF1b3RhOgogICAgYW5ub3RhdGlvbnM6IHt9CiAgICBlbmFibGVkOiBhdXRvCiAgICBsYWJlbHM6IHt9CiAgICBxdW90YToKICAgICAgY291bnQvY29uZmlnbWFwczogMTAwCiAgICAgIGNvdW50L2VuZHBvaW50czogNDAKICAgICAgY291bnQvcGVyc2lzdGVudHZvbHVtZWNsYWltczogMjAKICAgICAgY291bnQvcG9kczogMjAKICAgICAgY291bnQvc2VjcmV0czogMTAwCiAgICAgIGNvdW50L3NlcnZpY2VzOiAyMAogICAgICBsaW1pdHMuY3B1OiAyMAogICAgICBsaW1pdHMuZXBoZW1lcmFsLXN0b3JhZ2U6IDE2MEdpCiAgICAgIGxpbWl0cy5tZW1vcnk6IDQwR2kKICAgICAgcmVxdWVzdHMuY3B1OiAxMAogICAgICByZXF1ZXN0cy5lcGhlbWVyYWwtc3RvcmFnZTogNjBHaQogICAgICByZXF1ZXN0cy5tZW1vcnk6IDIwR2kKICAgICAgcmVxdWVzdHMuc3RvcmFnZTogMTAwR2kKICAgICAgc2VydmljZXMubG9hZGJhbGFuY2VyczogMQogICAgICBzZXJ2aWNlcy5ub2RlcG9ydHM6IDAKICAgIHNjb3BlU2VsZWN0b3I6CiAgICAgIG1hdGNoRXhwcmVzc2lvbnM6IFtdCiAgICBzY29wZXM6IFtdCnJiYWM6CiAgY2x1c3RlclJvbGU6CiAgICBlbmFibGVkOiBhdXRvCiAgICBleHRyYVJ1bGVzOiBbXQogICAgb3ZlcndyaXRlUnVsZXM6IFtdCiAgcm9sZToKICAgIGVuYWJsZWQ6IHRydWUKICAgIGV4dHJhUnVsZXM6CiAgICAtIGFwaUdyb3VwczoKICAgICAgLSAiIgogICAgICByZXNvdXJjZXM6CiAgICAgIC0gZW5kcG9pbnRzL3Jlc3RyaWN0ZWQKICAgICAgdmVyYnM6CiAgICAgIC0gY3JlYXRlCiAgICBvdmVyd3JpdGVSdWxlczogW10Kc3luYzoKICBmcm9tSG9zdDoKICAgIGNvbmZpZ01hcHM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgIG1hcHBpbmdzOgogICAgICAgIGJ5TmFtZToge30KICAgIGNzaURyaXZlcnM6CiAgICAgIGVuYWJsZWQ6IGF1dG8KICAgIGNzaU5vZGVzOgogICAgICBlbmFibGVkOiBhdXRvCiAgICBjc2lTdG9yYWdlQ2FwYWNpdGllczoKICAgICAgZW5hYmxlZDogYXV0bwogICAgZXZlbnRzOgogICAgICBlbmFibGVkOiB0cnVlCiAgICBpbmdyZXNzQ2xhc3NlczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIG5vZGVzOgogICAgICBjbGVhckltYWdlU3RhdHVzOiBmYWxzZQogICAgICBlbmFibGVkOiBmYWxzZQogICAgICBzZWxlY3RvcjoKICAgICAgICBhbGw6IGZhbHNlCiAgICAgICAgbGFiZWxzOiB7fQogICAgICBzeW5jQmFja0NoYW5nZXM6IGZhbHNlCiAgICBwcmlvcml0eUNsYXNzZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBydW50aW1lQ2xhc3NlczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHNlY3JldHM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgIG1hcHBpbmdzOgogICAgICAgIGJ5TmFtZToge30KICAgIHN0b3JhZ2VDbGFzc2VzOgogICAgICBlbmFibGVkOiBhdXRvCiAgICB2b2x1bWVTbmFwc2hvdENsYXNzZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgdG9Ib3N0OgogICAgY29uZmlnTWFwczoKICAgICAgYWxsOiBmYWxzZQogICAgICBlbmFibGVkOiB0cnVlCiAgICBlbmRwb2ludHM6CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgIGluZ3Jlc3NlczoKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgbmV0d29ya1BvbGljaWVzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgcGVyc2lzdGVudFZvbHVtZUNsYWltczoKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgcGVyc2lzdGVudFZvbHVtZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBwb2REaXNydXB0aW9uQnVkZ2V0czoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHBvZHM6CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgZW5mb3JjZVRvbGVyYXRpb25zOiBbXQogICAgICBwcmlvcml0eUNsYXNzTmFtZTogIiIKICAgICAgcmV3cml0ZUhvc3RzOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgICBpbml0Q29udGFpbmVyOgogICAgICAgICAgaW1hZ2U6IGxpYnJhcnkvYWxwaW5lOjMuMjAKICAgICAgICAgIHJlc291cmNlczoKICAgICAgICAgICAgbGltaXRzOgogICAgICAgICAgICAgIGNwdTogMzBtCiAgICAgICAgICAgICAgbWVtb3J5OiA2NE1pCiAgICAgICAgICAgIHJlcXVlc3RzOgogICAgICAgICAgICAgIGNwdTogMzBtCiAgICAgICAgICAgICAgbWVtb3J5OiA2NE1pCiAgICAgIHJ1bnRpbWVDbGFzc05hbWU6ICIiCiAgICAgIHRyYW5zbGF0ZUltYWdlOiB7fQogICAgICB1c2VTZWNyZXRzRm9yU0FUb2tlbnM6IGZhbHNlCiAgICBwcmlvcml0eUNsYXNzZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBzZWNyZXRzOgogICAgICBhbGw6IGZhbHNlCiAgICAgIGVuYWJsZWQ6IHRydWUKICAgIHNlcnZpY2VBY2NvdW50czoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHNlcnZpY2VzOgogICAgICBlbmFibGVkOiB0cnVlCiAgICBzdG9yYWdlQ2xhc3NlczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHZvbHVtZVNuYXBzaG90Q29udGVudHM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICB2b2x1bWVTbmFwc2hvdHM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCnRlbGVtZXRyeToKICBlbmFibGVkOiB0cnVl +kind: Secret +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + name: vc-config-oidc + namespace: testns +type: Opaque diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml new file mode 100644 index 0000000..e2a011f --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +data: + coredns.yaml: "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: coredns\n\ + \ namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind:\ + \ ClusterRole\nmetadata:\n labels:\n kubernetes.io/bootstrapping: rbac-defaults\n\ + \ name: system:coredns\nrules:\n - apiGroups:\n - \"\"\n resources:\n\ + \ - endpoints\n - services\n - pods\n - namespaces\n verbs:\n\ + \ - list\n - watch\n - apiGroups:\n - discovery.k8s.io\n resources:\n\ + \ - endpointslices\n verbs:\n - list\n - watch\n---\napiVersion:\ + \ rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n annotations:\n\ + \ rbac.authorization.kubernetes.io/autoupdate: \"true\"\n labels:\n kubernetes.io/bootstrapping:\ + \ rbac-defaults\n name: system:coredns\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n\ + \ kind: ClusterRole\n name: system:coredns\nsubjects:\n - kind: ServiceAccount\n\ + \ name: coredns\n namespace: kube-system\n---\napiVersion: v1\nkind: ConfigMap\n\ + metadata:\n name: coredns\n namespace: kube-system\ndata:\n Corefile: |-\n\ + \ .:1053 {\n errors\n health\n ready\n rewrite\ + \ name regex .*\\.nodes\\.vcluster\\.com kubernetes.default.svc.cluster.local\n\ + \ kubernetes cluster.local in-addr.arpa ip6.arpa {\n pods insecure\n\ + \ fallthrough in-addr.arpa ip6.arpa\n }\n hosts /etc/NodeHosts\ + \ {\n ttl 60\n reload 15s\n fallthrough\n \ + \ }\n prometheus :9153\n forward . /etc/resolv.conf\n \ + \ cache 30\n loop\n loadbalance\n }\n \n import /etc/coredns/custom/*.server\n\ + \ NodeHosts: \"\"\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name:\ + \ coredns\n namespace: kube-system\n labels:\n k8s-app: vcluster-kube-dns\n\ + \ kubernetes.io/name: \"CoreDNS\"\nspec:\n replicas: 1\n strategy:\n type:\ + \ RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n selector:\n \ + \ matchLabels:\n k8s-app: vcluster-kube-dns\n template:\n metadata:\n\ + \ labels:\n k8s-app: vcluster-kube-dns\n spec:\n priorityClassName:\ + \ \"\"\n serviceAccountName: coredns\n nodeSelector:\n kubernetes.io/os:\ + \ linux\n topologySpreadConstraints:\n - labelSelector:\n \ + \ matchLabels:\n k8s-app: vcluster-kube-dns\n maxSkew:\ + \ 1\n topologyKey: kubernetes.io/hostname\n whenUnsatisfiable:\ + \ DoNotSchedule\n containers:\n - name: coredns\n image:\ + \ {{.IMAGE}}\n imagePullPolicy: IfNotPresent\n resources:\n\ + \ limits:\n cpu: 1000m\n memory: 170Mi\n\ + \ requests:\n cpu: 20m\n memory: 64Mi\n \ + \ args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n volumeMounts:\n\ + \ - name: config-volume\n mountPath: /etc/coredns\n \ + \ readOnly: true\n - name: custom-config-volume\n \ + \ mountPath: /etc/coredns/custom\n readOnly: true\n \ + \ securityContext:\n runAsNonRoot: true\n runAsUser:\ + \ {{.RUN_AS_USER}}\n runAsGroup: {{.RUN_AS_GROUP}}\n allowPrivilegeEscalation:\ + \ false\n capabilities:\n add:\n - NET_BIND_SERVICE\n\ + \ drop:\n - ALL\n readOnlyRootFilesystem:\ + \ true\n livenessProbe:\n httpGet:\n path: /health\n\ + \ port: 8080\n scheme: HTTP\n initialDelaySeconds:\ + \ 60\n periodSeconds: 10\n timeoutSeconds: 1\n \ + \ successThreshold: 1\n failureThreshold: 3\n readinessProbe:\n\ + \ httpGet:\n path: /ready\n port: 8181\n\ + \ scheme: HTTP\n initialDelaySeconds: 0\n periodSeconds:\ + \ 2\n timeoutSeconds: 1\n successThreshold: 1\n \ + \ failureThreshold: 3\n dnsPolicy: Default\n volumes:\n -\ + \ name: config-volume\n configMap:\n name: coredns\n \ + \ items:\n - key: Corefile\n path: Corefile\n\ + \ - key: NodeHosts\n path: NodeHosts\n - name:\ + \ custom-config-volume\n configMap:\n name: coredns-custom\n\ + \ optional: true\n---\napiVersion: v1\nkind: Service\nmetadata:\n \ + \ name: kube-dns\n namespace: kube-system\n annotations:\n prometheus.io/port:\ + \ \"9153\"\n prometheus.io/scrape: \"true\"\n labels:\n k8s-app: vcluster-kube-dns\n\ + \ kubernetes.io/cluster-service: \"true\"\n kubernetes.io/name: \"CoreDNS\"\ + \nspec:\n type: ClusterIP\n selector:\n k8s-app: vcluster-kube-dns\n ports:\n\ + \ - name: dns\n port: 53\n targetPort: 1053\n protocol: UDP\n\ + \ - name: dns-tcp\n port: 53\n targetPort: 1053\n protocol:\ + \ TCP\n - name: metrics\n port: 9153\n protocol: TCP" +kind: ConfigMap +metadata: + name: vc-coredns-oidc + namespace: testns diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/ingress.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/ingress.yaml new file mode 100644 index 0000000..49eb30c --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/ingress.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/ssl-passthrough: 'true' + nginx.ingress.kubernetes.io/ssl-redirect: 'true' + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + name: oidc + namespace: testns +spec: + rules: + - host: testcluster.local + http: + paths: + - backend: + service: + name: oidc + port: + name: https + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - testcluster.local + secretName: oidc-tls diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/role.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/role.yaml new file mode 100644 index 0000000..a678c4d --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/role.yaml @@ -0,0 +1,85 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + name: vc-oidc + namespace: testns +rules: + - apiGroups: + - '' + resources: + - configmaps + - secrets + - services + - pods + - pods/attach + - pods/portforward + - pods/exec + - persistentvolumeclaims + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods/status + - pods/ephemeralcontainers + verbs: + - patch + - update + - apiGroups: + - apps + resources: + - statefulsets + - replicasets + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints + - events + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints + verbs: + - create + - delete + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints/restricted + verbs: + - create diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml new file mode 100644 index 0000000..81ae6e9 --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + name: vc-oidc + namespace: testns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vc-oidc +subjects: + - kind: ServiceAccount + name: vc-oidc + namespace: testns diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/service.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/service.yaml new file mode 100644 index 0000000..8d38d52 --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + vcluster.loft.sh/service: 'true' + name: oidc + namespace: testns +spec: + ports: + - name: https + nodePort: 0 + port: 443 + protocol: TCP + targetPort: 8443 + - name: kubelet + nodePort: 0 + port: 10250 + protocol: TCP + targetPort: 8443 + selector: + app: vcluster + release: oidc + type: ClusterIP diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml new file mode 100644 index 0000000..09a8c32 --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + name: vc-oidc + namespace: testns diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/statefulset.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/statefulset.yaml new file mode 100644 index 0000000..8c90100 --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/statefulset.yaml @@ -0,0 +1,142 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + name: oidc + namespace: testns +spec: + replicas: 1 + selector: + matchLabels: + app: vcluster + release: oidc + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + vClusterConfigHash: 74e5f911ad6e9a56272049a3f6c9b4926f4d0aa26f7a88cd3df1ce99d64d87bc + labels: + app: vcluster + release: oidc + spec: + containers: + - env: + - name: VCLUSTER_NAME + value: oidc + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: ghcr.io/loft-sh/vcluster-oss:0.24.1 + imagePullPolicy: null + livenessProbe: + failureThreshold: 60 + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 60 + periodSeconds: 2 + timeoutSeconds: 3 + name: syncer + readinessProbe: + failureThreshold: 60 + httpGet: + path: /readyz + port: 8443 + scheme: HTTPS + periodSeconds: 2 + timeoutSeconds: 3 + resources: + limits: + ephemeral-storage: 8Gi + memory: 2Gi + requests: + cpu: 200m + ephemeral-storage: 400Mi + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + startupProbe: + failureThreshold: 300 + httpGet: + path: /readyz + port: 8443 + scheme: HTTPS + periodSeconds: 6 + timeoutSeconds: 3 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /binaries + name: binaries + - mountPath: /pki + name: certs + - mountPath: /.cache/helm + name: helm-cache + - mountPath: /etc/rancher + name: k3s-config + - mountPath: /var/vcluster + name: vcluster-config + - mountPath: /tmp + name: tmp + - mountPath: /manifests/coredns + name: coredns + readOnly: true + enableServiceLinks: true + initContainers: + - args: + - -c + - cp /bin/k3s /binaries/k3s + command: + - /bin/sh + image: docker.io/rancher/k3s:v1.32.1-k3s1 + name: vcluster + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 40m + memory: 64Mi + securityContext: {} + volumeMounts: + - mountPath: /binaries + name: binaries + serviceAccountName: vc-oidc + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: helm-cache + - emptyDir: {} + name: binaries + - emptyDir: {} + name: tmp + - emptyDir: {} + name: certs + - emptyDir: {} + name: k3s-config + - name: vcluster-config + secret: + secretName: vc-config-oidc + - configMap: + name: vc-coredns-oidc + name: coredns + - emptyDir: {} + name: data diff --git a/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml new file mode 100644 index 0000000..4b48c68 --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: oidc + name: vc-workload-oidc + namespace: testns diff --git a/tests/golden/oidc/oidc/oidc/10_cluster.yaml b/tests/golden/oidc/oidc/oidc/10_cluster.yaml deleted file mode 100644 index 2757d0d..0000000 --- a/tests/golden/oidc/oidc/oidc/10_cluster.yaml +++ /dev/null @@ -1,630 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: vc-oidc - name: vc-oidc - namespace: testns ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: {} - labels: - name: oidc - name: oidc - namespace: testns -rules: - - apiGroups: - - '' - resources: - - configmaps - - secrets - - services - - pods - - pods/attach - - pods/portforward - - pods/exec - - endpoints - - persistentvolumeclaims - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - - pods/log - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - - replicasets - - deployments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: oidc - name: oidc - namespace: testns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: oidc -subjects: - - kind: ServiceAccount - name: vc-oidc - namespace: testns ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: {} - labels: - name: syn-vcluster-oidc - name: syn-vcluster-oidc -rules: - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: {} - labels: - name: syn-vcluster-oidc - name: syn-vcluster-oidc -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: syn-vcluster-oidc -subjects: - - kind: ServiceAccount - name: vc-oidc - namespace: testns ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: oidc - name: oidc - namespace: testns -spec: - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: vcluster - release: oidc - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: oidc-headless - name: oidc-headless - namespace: testns -spec: - clusterIP: None - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: vcluster - release: oidc ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - annotations: {} - labels: - name: oidc - name: oidc - namespace: testns -spec: - replicas: 1 - selector: - matchLabels: - app: vcluster - release: oidc - serviceName: oidc-headless - template: - metadata: - labels: - app: vcluster - release: oidc - spec: - affinity: {} - containers: - - args: - - server - - --write-kubeconfig=/data/k3s-config/kube-config.yaml - - --data-dir=/data - - --disable=traefik,servicelb,metrics-server,local-storage,coredns - - --disable-network-policy - - --disable-agent - - --disable-scheduler - - --disable-cloud-controller - - --flannel-backend=none - - --service-cidr=172.30.0.0/16 - - --kube-controller-manager-arg=controllers=*,-nodeipam,-nodelifecycle,-persistentvolume-binder,-attachdetach,-persistentvolume-expander,-cloud-node-lifecycle - - --tls-san=oidc.testns.svc.cluster.local - - --tls-san=oidc.testns.svc - - --tls-san=oidc.testns - - --tls-san=oidc - - --kube-apiserver-arg=oidc-issuer-url=https://id.local/auth/realms/local - - --kube-apiserver-arg=oidc-client-id=local - - --kube-apiserver-arg=oidc-username-claim=email - - --kube-apiserver-arg=oidc-groups-claim=groups - command: - - /bin/k3s - env: [] - image: docker.io/rancher/k3s:v1.25.15-k3s1 - name: vcluster - resources: - limits: - memory: 2Gi - requests: - cpu: 200m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/rancher - name: etc-rancher - - args: - - --name=oidc - - --out-kube-config-secret=vc-oidc-kubeconfig - - --sync=ingresses - - --tls-san=oidc.testns.svc.cluster.local - - --tls-san=oidc.testns.svc - - --tls-san=oidc.testns - - --tls-san=oidc - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: docker.io/loftsh/vcluster:0.14.1 - livenessProbe: - failureThreshold: 10 - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 60 - periodSeconds: 2 - name: syncer - readinessProbe: - failureThreshold: 30 - httpGet: - path: /readyz - port: 8443 - scheme: HTTPS - periodSeconds: 2 - resources: - limits: - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /data - name: data - readOnly: true - - mountPath: /manifests/coredns - name: coredns - readOnly: true - nodeSelector: {} - serviceAccountName: vc-oidc - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - configMap: - defaultMode: 420 - name: vc-oidc-coredns - name: coredns - - emptyDir: {} - name: etc-rancher - - emptyDir: {} - name: data - volumeClaimTemplates: [] ---- -apiVersion: v1 -data: - manifests: | - --- - "apiVersion": "rbac.authorization.k8s.io/v1" - "kind": "ClusterRoleBinding" - "metadata": - "name": "oidc-cluster-admin" - "roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "cluster-admin" - "subjects": - - "kind": "Group" - "name": "admin" -kind: ConfigMap -metadata: - annotations: {} - labels: - name: oidc-init-manifests - name: oidc-init-manifests - namespace: testns ---- -apiVersion: v1 -data: - coredns.yaml: | - apiVersion: v1 - kind: ServiceAccount - metadata: - name: coredns - namespace: kube-system - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - rules: - - apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:coredns - subjects: - - kind: ServiceAccount - name: coredns - namespace: kube-system - --- - apiVersion: v1 - kind: ConfigMap - metadata: - name: coredns - namespace: kube-system - data: - Corefile: | - .:1053 { - {{.LOG_IN_DEBUG}} - errors - health - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - } - hosts /etc/coredns/NodeHosts { - ttl 60 - reload 15s - fallthrough - } - prometheus :9153 - forward . /etc/resolv.conf - cache 30 - loop - reload - loadbalance - } - - import /etc/coredns/custom/*.server - NodeHosts: "" - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: coredns - namespace: kube-system - labels: - k8s-app: kube-dns - kubernetes.io/name: "CoreDNS" - spec: - replicas: 1 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - k8s-app: kube-dns - template: - metadata: - labels: - k8s-app: kube-dns - spec: - priorityClassName: "system-cluster-critical" - serviceAccountName: coredns - nodeSelector: - kubernetes.io/os: linux - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - k8s-app: kube-dns - containers: - - name: coredns - image: {{.IMAGE}} - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 1000m - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - args: [ "-conf", "/etc/coredns/Corefile" ] - volumeMounts: - - name: config-volume - mountPath: /etc/coredns - readOnly: true - - name: custom-config-volume - mountPath: /etc/coredns/custom - readOnly: true - ports: - - containerPort: 1053 - name: dns - protocol: UDP - - containerPort: 1053 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - securityContext: - runAsNonRoot: true - runAsUser: {{.RUN_AS_USER}} - runAsGroup: {{.RUN_AS_GROUP}} - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - livenessProbe: - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 2 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: Default - volumes: - - name: config-volume - configMap: - name: coredns - items: - - key: Corefile - path: Corefile - - key: NodeHosts - path: NodeHosts - - name: custom-config-volume - configMap: - name: coredns-custom - optional: true - --- - apiVersion: v1 - kind: Service - metadata: - name: kube-dns - namespace: kube-system - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" - labels: - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - spec: - selector: - k8s-app: kube-dns - type: ClusterIP - ports: - - name: dns - port: 53 - targetPort: 1053 - protocol: UDP - - name: dns-tcp - port: 53 - targetPort: 1053 - protocol: TCP - - name: metrics - port: 9153 - protocol: TCP -kind: ConfigMap -metadata: - annotations: {} - labels: - name: vc-oidc-coredns - name: vc-oidc-coredns - namespace: testns ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - labels: - name: oidc - name: oidc - namespace: testns -spec: - rules: - - host: testcluster.local - http: - paths: - - backend: - service: - name: oidc - port: - name: https - path: / - pathType: Prefix - tls: - - hosts: - - testcluster.local - secretName: oidc-tls ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - argocd.argoproj.io/hook: PostSync - labels: - name: oidc-synthesize - name: oidc-synthesize - namespace: testns -spec: - completions: 1 - parallelism: 1 - template: - metadata: - labels: - name: oidc-synthesize - spec: - containers: - - args: - - -eu - - -c - - | - #!/bin/sh - set -eu - - cp /etc/vcluster-kubeconfig/config ./config - vcluster_kubeconfig=./config - - echo "Setting server URL..." - - kubectl --kubeconfig "$vcluster_kubeconfig" config set clusters.local.server "$VCLUSTER_SERVER_URL" - - echo "Checking for namespace 'syn'..." - - exists=$(kubectl --kubeconfig "$vcluster_kubeconfig" get namespace syn --ignore-not-found) - if [ -n "$exists" ]; then - echo "Namespace 'syn' exists. Skipping synthesize." - exit 0 - fi - - echo "Starting synthesize..." - - kubectl --kubeconfig "$vcluster_kubeconfig" apply -f "$1" - - echo "Done!" - - -- - - https://syn.example.com/steward/install.json?token=w84kxjbhf - command: - - sh - env: - - name: HOME - value: /export - - name: VCLUSTER_SERVER_URL - value: https://oidc:443 - image: docker.io/bitnami/kubectl:1.28.15 - imagePullPolicy: IfNotPresent - name: oidc-synthesize - ports: [] - stdin: false - tty: false - volumeMounts: - - mountPath: /export - name: export - - mountPath: /etc/vcluster-kubeconfig - name: kubeconfig - readOnly: true - workingDir: /export - imagePullSecrets: [] - initContainers: [] - restartPolicy: OnFailure - terminationGracePeriodSeconds: 30 - volumes: - - emptyDir: {} - name: export - - name: kubeconfig - secret: - secretName: vc-oidc-kubeconfig diff --git a/tests/golden/oidc/oidc/oidc/11_synthesize.yaml b/tests/golden/oidc/oidc/oidc/11_synthesize.yaml new file mode 100644 index 0000000..b94b7b6 --- /dev/null +++ b/tests/golden/oidc/oidc/oidc/11_synthesize.yaml @@ -0,0 +1,77 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/hook: PostSync + labels: + name: oidc-synthesize + name: oidc-synthesize + namespace: testns +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: oidc-synthesize + spec: + containers: + - args: + - -eu + - -c + - | + #!/bin/sh + set -eu + + cp /etc/vcluster-kubeconfig/config ./config + vcluster_kubeconfig=./config + + echo "Setting server URL..." + + kubectl --kubeconfig "$vcluster_kubeconfig" config set clusters.local.server "$VCLUSTER_SERVER_URL" + + echo "Checking for namespace 'syn'..." + + exists=$(kubectl --kubeconfig "$vcluster_kubeconfig" get namespace syn --ignore-not-found) + if [ -n "$exists" ]; then + echo "Namespace 'syn' exists. Skipping synthesize." + exit 0 + fi + + echo "Starting synthesize..." + + kubectl --kubeconfig "$vcluster_kubeconfig" apply -f "$1" + + echo "Done!" + - -- + - https://syn.example.com/steward/install.json?token=w84kxjbhf + command: + - sh + env: + - name: HOME + value: /export + - name: VCLUSTER_SERVER_URL + value: https://oidc:443 + image: docker.io/bitnami/kubectl:1.32.1 + imagePullPolicy: IfNotPresent + name: oidc-synthesize + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /export + name: export + - mountPath: /etc/vcluster-kubeconfig + name: kubeconfig + readOnly: true + workingDir: /export + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: export + - name: kubeconfig + secret: + secretName: vc-oidc diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/config-secret.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/config-secret.yaml new file mode 100644 index 0000000..5b21d8a --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/config-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + config.yaml: Y29udHJvbFBsYW5lOgogIGFkdmFuY2VkOgogICAgZGVmYXVsdEltYWdlUmVnaXN0cnk6ICIiCiAgICBnbG9iYWxNZXRhZGF0YToKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICBoZWFkbGVzc1NlcnZpY2U6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBsYWJlbHM6IHt9CiAgICBzZXJ2aWNlQWNjb3VudDoKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgaW1hZ2VQdWxsU2VjcmV0czogW10KICAgICAgbGFiZWxzOiB7fQogICAgICBuYW1lOiAiIgogICAgdmlydHVhbFNjaGVkdWxlcjoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHdvcmtsb2FkU2VydmljZUFjY291bnQ6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGltYWdlUHVsbFNlY3JldHM6IFtdCiAgICAgIGxhYmVsczoge30KICAgICAgbmFtZTogIiIKICBiYWNraW5nU3RvcmU6CiAgICBkYXRhYmFzZToKICAgICAgZW1iZWRkZWQ6CiAgICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgZXh0ZXJuYWw6CiAgICAgICAgY2FGaWxlOiAiIgogICAgICAgIGNlcnRGaWxlOiAiIgogICAgICAgIGNvbm5lY3RvcjogIiIKICAgICAgICBkYXRhU291cmNlOiAiIgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgICAga2V5RmlsZTogIiIKICAgIGV0Y2Q6CiAgICAgIGRlcGxveToKICAgICAgICBlbmFibGVkOiBmYWxzZQogICAgICAgIGhlYWRsZXNzU2VydmljZToKICAgICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgIHNlcnZpY2U6CiAgICAgICAgICBhbm5vdGF0aW9uczoge30KICAgICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgICBzdGF0ZWZ1bFNldDoKICAgICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgICAgZW5hYmxlU2VydmljZUxpbmtzOiB0cnVlCiAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgICBlbnY6IFtdCiAgICAgICAgICBleHRyYUFyZ3M6IFtdCiAgICAgICAgICBoaWdoQXZhaWxhYmlsaXR5OgogICAgICAgICAgICByZXBsaWNhczogMQogICAgICAgICAgaW1hZ2U6CiAgICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgICAgcmVwb3NpdG9yeTogZXRjZAogICAgICAgICAgICB0YWc6IDMuNS4xNy0wCiAgICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgICAgICBsYWJlbHM6IHt9CiAgICAgICAgICBwZXJzaXN0ZW5jZToKICAgICAgICAgICAgYWRkVm9sdW1lTW91bnRzOiBbXQogICAgICAgICAgICBhZGRWb2x1bWVzOiBbXQogICAgICAgICAgICB2b2x1bWVDbGFpbToKICAgICAgICAgICAgICBhY2Nlc3NNb2RlczoKICAgICAgICAgICAgICAtIFJlYWRXcml0ZU9uY2UKICAgICAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgICAgICAgcmV0ZW50aW9uUG9saWN5OiBSZXRhaW4KICAgICAgICAgICAgICBzaXplOiA1R2kKICAgICAgICAgICAgICBzdG9yYWdlQ2xhc3M6ICIiCiAgICAgICAgICAgIHZvbHVtZUNsYWltVGVtcGxhdGVzOiBbXQogICAgICAgICAgcG9kczoKICAgICAgICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgICAgICAgIGxhYmVsczoge30KICAgICAgICAgIHJlc291cmNlczoKICAgICAgICAgICAgcmVxdWVzdHM6CiAgICAgICAgICAgICAgY3B1OiAyMG0KICAgICAgICAgICAgICBtZW1vcnk6IDE1ME1pCiAgICAgICAgICBzY2hlZHVsaW5nOgogICAgICAgICAgICBhZmZpbml0eToge30KICAgICAgICAgICAgbm9kZVNlbGVjdG9yOiB7fQogICAgICAgICAgICBwb2RNYW5hZ2VtZW50UG9saWN5OiBQYXJhbGxlbAogICAgICAgICAgICBwcmlvcml0eUNsYXNzTmFtZTogIiIKICAgICAgICAgICAgdG9sZXJhdGlvbnM6IFtdCiAgICAgICAgICAgIHRvcG9sb2d5U3ByZWFkQ29uc3RyYWludHM6IFtdCiAgICAgICAgICBzZWN1cml0eToKICAgICAgICAgICAgY29udGFpbmVyU2VjdXJpdHlDb250ZXh0OiB7fQogICAgICAgICAgICBwb2RTZWN1cml0eUNvbnRleHQ6IHt9CiAgICAgIGVtYmVkZGVkOgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgICAgbWlncmF0ZUZyb21EZXBsb3llZEV0Y2Q6IGZhbHNlCiAgY29yZWRuczoKICAgIGRlcGxveW1lbnQ6CiAgICAgIGFmZmluaXR5OiB7fQogICAgICBhbm5vdGF0aW9uczoge30KICAgICAgaW1hZ2U6ICIiCiAgICAgIGxhYmVsczoge30KICAgICAgbm9kZVNlbGVjdG9yOiB7fQogICAgICBwb2RzOgogICAgICAgIGFubm90YXRpb25zOiB7fQogICAgICAgIGxhYmVsczoge30KICAgICAgcmVwbGljYXM6IDEKICAgICAgcmVzb3VyY2VzOgogICAgICAgIGxpbWl0czoKICAgICAgICAgIGNwdTogMTAwMG0KICAgICAgICAgIG1lbW9yeTogMTcwTWkKICAgICAgICByZXF1ZXN0czoKICAgICAgICAgIGNwdTogMjBtCiAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgdG9sZXJhdGlvbnM6IFtdCiAgICAgIHRvcG9sb2d5U3ByZWFkQ29uc3RyYWludHM6CiAgICAgIC0gbGFiZWxTZWxlY3RvcjoKICAgICAgICAgIG1hdGNoTGFiZWxzOgogICAgICAgICAgICBrOHMtYXBwOiB2Y2x1c3Rlci1rdWJlLWRucwogICAgICAgIG1heFNrZXc6IDEKICAgICAgICB0b3BvbG9neUtleToga3ViZXJuZXRlcy5pby9ob3N0bmFtZQogICAgICAgIHdoZW5VbnNhdGlzZmlhYmxlOiBEb05vdFNjaGVkdWxlCiAgICBlbWJlZGRlZDogZmFsc2UKICAgIGVuYWJsZWQ6IHRydWUKICAgIG92ZXJ3cml0ZUNvbmZpZzogIiIKICAgIG92ZXJ3cml0ZU1hbmlmZXN0czogIiIKICAgIHByaW9yaXR5Q2xhc3NOYW1lOiAiIgogICAgc2VydmljZToKICAgICAgYW5ub3RhdGlvbnM6IHt9CiAgICAgIGxhYmVsczoge30KICAgICAgc3BlYzoKICAgICAgICB0eXBlOiBDbHVzdGVySVAKICBkaXN0cm86CiAgICBrMHM6CiAgICAgIGNvbW1hbmQ6IFtdCiAgICAgIGNvbmZpZzogIiIKICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgZXh0cmFBcmdzOiBbXQogICAgICBpbWFnZToKICAgICAgICByZWdpc3RyeTogIiIKICAgICAgICByZXBvc2l0b3J5OiBrMHNwcm9qZWN0L2swcwogICAgICAgIHRhZzogdjEuMzAuMi1rMHMuMAogICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIHJlc291cmNlczoKICAgICAgICBsaW1pdHM6CiAgICAgICAgICBjcHU6IDEwMG0KICAgICAgICAgIG1lbW9yeTogMjU2TWkKICAgICAgICByZXF1ZXN0czoKICAgICAgICAgIGNwdTogNDBtCiAgICAgICAgICBtZW1vcnk6IDY0TWkKICAgICAgc2VjdXJpdHlDb250ZXh0OiB7fQogICAgazNzOgogICAgICBjb21tYW5kOiBbXQogICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGV4dHJhQXJnczogW10KICAgICAgaW1hZ2U6CiAgICAgICAgcmVnaXN0cnk6IGRvY2tlci5pbwogICAgICAgIHJlcG9zaXRvcnk6IHJhbmNoZXIvazNzCiAgICAgICAgdGFnOiB2MS4zMi4xLWszczEKICAgICAgaW1hZ2VQdWxsUG9saWN5OiAiIgogICAgICByZXNvdXJjZXM6CiAgICAgICAgbGltaXRzOgogICAgICAgICAgY3B1OiAxMDBtCiAgICAgICAgICBtZW1vcnk6IDI1Nk1pCiAgICAgICAgcmVxdWVzdHM6CiAgICAgICAgICBjcHU6IDQwbQogICAgICAgICAgbWVtb3J5OiA2NE1pCiAgICAgIHNlY3VyaXR5Q29udGV4dDoge30KICAgIGs4czoKICAgICAgYXBpU2VydmVyOgogICAgICAgIGNvbW1hbmQ6IFtdCiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICAgIGV4dHJhQXJnczogW10KICAgICAgICBpbWFnZToKICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgIHJlcG9zaXRvcnk6IGt1YmUtYXBpc2VydmVyCiAgICAgICAgICB0YWc6IHYxLjMyLjEKICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIGNvbnRyb2xsZXJNYW5hZ2VyOgogICAgICAgIGNvbW1hbmQ6IFtdCiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICAgIGV4dHJhQXJnczogW10KICAgICAgICBpbWFnZToKICAgICAgICAgIHJlZ2lzdHJ5OiByZWdpc3RyeS5rOHMuaW8KICAgICAgICAgIHJlcG9zaXRvcnk6IGt1YmUtY29udHJvbGxlci1tYW5hZ2VyCiAgICAgICAgICB0YWc6IHYxLjMyLjEKICAgICAgICBpbWFnZVB1bGxQb2xpY3k6ICIiCiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgIGVudjogW10KICAgICAgcmVzb3VyY2VzOgogICAgICAgIGxpbWl0czoKICAgICAgICAgIGNwdTogMTAwbQogICAgICAgICAgbWVtb3J5OiAyNTZNaQogICAgICAgIHJlcXVlc3RzOgogICAgICAgICAgY3B1OiA0MG0KICAgICAgICAgIG1lbW9yeTogNjRNaQogICAgICBzY2hlZHVsZXI6CiAgICAgICAgY29tbWFuZDogW10KICAgICAgICBleHRyYUFyZ3M6IFtdCiAgICAgICAgaW1hZ2U6CiAgICAgICAgICByZWdpc3RyeTogcmVnaXN0cnkuazhzLmlvCiAgICAgICAgICByZXBvc2l0b3J5OiBrdWJlLXNjaGVkdWxlcgogICAgICAgICAgdGFnOiB2MS4zMi4xCiAgICAgICAgaW1hZ2VQdWxsUG9saWN5OiAiIgogICAgICBzZWN1cml0eUNvbnRleHQ6IHt9CiAgICAgIHZlcnNpb246ICIiCiAgaW5ncmVzczoKICAgIGFubm90YXRpb25zOgogICAgICBjZXJ0LW1hbmFnZXIuaW8vY2x1c3Rlci1pc3N1ZXI6IGxldHNlbmNyeXB0LXByb2R1Y3Rpb24KICAgICAgbmdpbnguaW5ncmVzcy5rdWJlcm5ldGVzLmlvL2JhY2tlbmQtcHJvdG9jb2w6IEhUVFBTCiAgICAgIG5naW54LmluZ3Jlc3Mua3ViZXJuZXRlcy5pby9zc2wtcGFzc3Rocm91Z2g6ICJ0cnVlIgogICAgICBuZ2lueC5pbmdyZXNzLmt1YmVybmV0ZXMuaW8vc3NsLXJlZGlyZWN0OiAidHJ1ZSIKICAgIGVuYWJsZWQ6IHRydWUKICAgIGxhYmVsczoge30KICAgIHBhdGhUeXBlOiBJbXBsZW1lbnRhdGlvblNwZWNpZmljCiAgICBzcGVjOgogICAgICB0bHM6CiAgICAgIC0gaG9zdHM6CiAgICAgICAgLSBudWxsCiAgICAgICAgc2VjcmV0TmFtZTogb3BlbnNoaWZ0LXRscwogIHByb3h5OgogICAgYmluZEFkZHJlc3M6IDAuMC4wLjAKICAgIGV4dHJhU0FOczogW10KICAgIHBvcnQ6IDg0NDMKICBzZXJ2aWNlOgogICAgYW5ub3RhdGlvbnM6IHt9CiAgICBlbmFibGVkOiB0cnVlCiAgICBodHRwc05vZGVQb3J0OiAwCiAgICBrdWJlbGV0Tm9kZVBvcnQ6IDAKICAgIGxhYmVsczoge30KICAgIHNwZWM6CiAgICAgIHR5cGU6IENsdXN0ZXJJUAogIHNlcnZpY2VNb25pdG9yOgogICAgYW5ub3RhdGlvbnM6IHt9CiAgICBlbmFibGVkOiBmYWxzZQogICAgbGFiZWxzOiB7fQogIHN0YXRlZnVsU2V0OgogICAgYW5ub3RhdGlvbnM6IHt9CiAgICBhcmdzOiBbXQogICAgY29tbWFuZDogW10KICAgIGVuYWJsZVNlcnZpY2VMaW5rczogdHJ1ZQogICAgZW52OiBbXQogICAgaGlnaEF2YWlsYWJpbGl0eToKICAgICAgbGVhc2VEdXJhdGlvbjogNjAKICAgICAgcmVuZXdEZWFkbGluZTogNDAKICAgICAgcmVwbGljYXM6IDEKICAgICAgcmV0cnlQZXJpb2Q6IDE1CiAgICBpbWFnZToKICAgICAgcmVnaXN0cnk6IGdoY3IuaW8KICAgICAgcmVwb3NpdG9yeTogbG9mdC1zaC92Y2x1c3Rlci1vc3MKICAgICAgdGFnOiAwLjI0LjEKICAgIGltYWdlUHVsbFBvbGljeTogIiIKICAgIGxhYmVsczoge30KICAgIHBlcnNpc3RlbmNlOgogICAgICBhZGRWb2x1bWVNb3VudHM6IFtdCiAgICAgIGFkZFZvbHVtZXM6IFtdCiAgICAgIGJpbmFyaWVzVm9sdW1lOgogICAgICAtIGVtcHR5RGlyOiB7fQogICAgICAgIG5hbWU6IGJpbmFyaWVzCiAgICAgIGRhdGFWb2x1bWU6IFtdCiAgICAgIHZvbHVtZUNsYWltOgogICAgICAgIGFjY2Vzc01vZGVzOgogICAgICAgIC0gUmVhZFdyaXRlT25jZQogICAgICAgIGVuYWJsZWQ6IGF1dG8KICAgICAgICByZXRlbnRpb25Qb2xpY3k6IFJldGFpbgogICAgICAgIHNpemU6IDVHaQogICAgICB2b2x1bWVDbGFpbVRlbXBsYXRlczogW10KICAgIHBvZHM6CiAgICAgIGFubm90YXRpb25zOiB7fQogICAgICBsYWJlbHM6IHt9CiAgICBwcm9iZXM6CiAgICAgIGxpdmVuZXNzUHJvYmU6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICByZWFkaW5lc3NQcm9iZToKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHN0YXJ0dXBQcm9iZToKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICByZXNvdXJjZXM6CiAgICAgIGxpbWl0czoKICAgICAgICBlcGhlbWVyYWwtc3RvcmFnZTogOEdpCiAgICAgICAgbWVtb3J5OiAyR2kKICAgICAgcmVxdWVzdHM6CiAgICAgICAgY3B1OiAyMDBtCiAgICAgICAgZXBoZW1lcmFsLXN0b3JhZ2U6IDQwME1pCiAgICAgICAgbWVtb3J5OiAyNTZNaQogICAgc2NoZWR1bGluZzoKICAgICAgYWZmaW5pdHk6IHt9CiAgICAgIG5vZGVTZWxlY3Rvcjoge30KICAgICAgcG9kTWFuYWdlbWVudFBvbGljeTogUGFyYWxsZWwKICAgICAgcHJpb3JpdHlDbGFzc05hbWU6ICIiCiAgICAgIHRvbGVyYXRpb25zOiBbXQogICAgICB0b3BvbG9neVNwcmVhZENvbnN0cmFpbnRzOiBbXQogICAgc2VjdXJpdHk6CiAgICAgIGNvbnRhaW5lclNlY3VyaXR5Q29udGV4dDoKICAgICAgICBhbGxvd1ByaXZpbGVnZUVzY2FsYXRpb246IGZhbHNlCiAgICAgIHBvZFNlY3VyaXR5Q29udGV4dDoge30KICAgIHdvcmtpbmdEaXI6ICIiCmV4cGVyaW1lbnRhbDoKICBkZXBsb3k6CiAgICBob3N0OgogICAgICBtYW5pZmVzdHM6ICIiCiAgICAgIG1hbmlmZXN0c1RlbXBsYXRlOiAiIgogICAgdmNsdXN0ZXI6CiAgICAgIGhlbG06IFtdCiAgICAgIG1hbmlmZXN0czogbmlsCiAgICAgIG1hbmlmZXN0c1RlbXBsYXRlOiAiIgogIGdlbmVyaWNTeW5jOgogICAgY2x1c3RlclJvbGU6CiAgICAgIGV4dHJhUnVsZXM6IFtdCiAgICByb2xlOgogICAgICBleHRyYVJ1bGVzOiBbXQogIGlzb2xhdGVkQ29udHJvbFBsYW5lOgogICAgaGVhZGxlc3M6IGZhbHNlCiAgbXVsdGlOYW1lc3BhY2VNb2RlOgogICAgZW5hYmxlZDogZmFsc2UKICByZXVzZU5hbWVzcGFjZTogZmFsc2UKICBzeW5jU2V0dGluZ3M6CiAgICBkaXNhYmxlU3luYzogZmFsc2UKICAgIHJld3JpdGVLdWJlcm5ldGVzU2VydmljZTogZmFsc2UKICAgIHNldE93bmVyOiB0cnVlCiAgICB0YXJnZXROYW1lc3BhY2U6ICIiCmV4cG9ydEt1YmVDb25maWc6CiAgY29udGV4dDogIiIKICBpbnNlY3VyZTogZmFsc2UKICBzZWNyZXQ6CiAgICBuYW1lOiAiIgogICAgbmFtZXNwYWNlOiAiIgogIHNlcnZlcjogaHR0cHM6Ly9Ob25lCiAgc2VydmljZUFjY291bnQ6CiAgICBjbHVzdGVyUm9sZTogY2x1c3Rlci1hZG1pbgogICAgbmFtZTogb3BlbnNoaWZ0LWFkbWluCiAgICBuYW1lc3BhY2U6ICIiCmV4dGVybmFsOiB7fQppbnRlZ3JhdGlvbnM6CiAgY2VydE1hbmFnZXI6CiAgICBlbmFibGVkOiBmYWxzZQogICAgc3luYzoKICAgICAgZnJvbUhvc3Q6CiAgICAgICAgY2x1c3Rlcklzc3VlcnM6CiAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgICBzZWxlY3RvcjoKICAgICAgICAgICAgbGFiZWxzOiB7fQogICAgICB0b0hvc3Q6CiAgICAgICAgY2VydGlmaWNhdGVzOgogICAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICAgIGlzc3VlcnM6CiAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgZXh0ZXJuYWxTZWNyZXRzOgogICAgZW5hYmxlZDogZmFsc2UKICAgIHN5bmM6CiAgICAgIGNsdXN0ZXJTdG9yZXM6CiAgICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgICBzZWxlY3RvcjoKICAgICAgICAgIGxhYmVsczoge30KICAgICAgZXh0ZXJuYWxTZWNyZXRzOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgc3RvcmVzOgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICB3ZWJob29rOgogICAgICBlbmFibGVkOiBmYWxzZQogIGt1YmVWaXJ0OgogICAgZW5hYmxlZDogZmFsc2UKICAgIHN5bmM6CiAgICAgIGRhdGFWb2x1bWVzOgogICAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICAgIHZpcnR1YWxNYWNoaW5lQ2xvbmVzOgogICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgdmlydHVhbE1hY2hpbmVJbnN0YW5jZU1pZ3JhdGlvbnM6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICB2aXJ0dWFsTWFjaGluZUluc3RhbmNlczoKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIHZpcnR1YWxNYWNoaW5lUG9vbHM6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgICB2aXJ0dWFsTWFjaGluZXM6CiAgICAgICAgZW5hYmxlZDogdHJ1ZQogICAgd2ViaG9vazoKICAgICAgZW5hYmxlZDogdHJ1ZQogIG1ldHJpY3NTZXJ2ZXI6CiAgICBlbmFibGVkOiBmYWxzZQogICAgbm9kZXM6IHRydWUKICAgIHBvZHM6IHRydWUKbmV0d29ya2luZzoKICBhZHZhbmNlZDoKICAgIGNsdXN0ZXJEb21haW46IGNsdXN0ZXIubG9jYWwKICAgIGZhbGxiYWNrSG9zdENsdXN0ZXI6IGZhbHNlCiAgICBwcm94eUt1YmVsZXRzOgogICAgICBieUhvc3RuYW1lOiB0cnVlCiAgICAgIGJ5SVA6IHRydWUKICByZXBsaWNhdGVTZXJ2aWNlczoKICAgIGZyb21Ib3N0OiBbXQogICAgdG9Ib3N0OiBbXQogIHJlc29sdmVETlM6IFtdCnBsdWdpbnM6IHt9CnBvbGljaWVzOgogIGNlbnRyYWxBZG1pc3Npb246CiAgICBtdXRhdGluZ1dlYmhvb2tzOiBbXQogICAgdmFsaWRhdGluZ1dlYmhvb2tzOiBbXQogIGxpbWl0UmFuZ2U6CiAgICBhbm5vdGF0aW9uczoge30KICAgIGRlZmF1bHQ6CiAgICAgIGNwdTogIjEiCiAgICAgIGVwaGVtZXJhbC1zdG9yYWdlOiA4R2kKICAgICAgbWVtb3J5OiA1MTJNaQogICAgZGVmYXVsdFJlcXVlc3Q6CiAgICAgIGNwdTogMTAwbQogICAgICBlcGhlbWVyYWwtc3RvcmFnZTogM0dpCiAgICAgIG1lbW9yeTogMTI4TWkKICAgIGVuYWJsZWQ6IGF1dG8KICAgIGxhYmVsczoge30KICAgIG1heDoge30KICAgIG1pbjoge30KICBuZXR3b3JrUG9saWN5OgogICAgYW5ub3RhdGlvbnM6IHt9CiAgICBlbmFibGVkOiBmYWxzZQogICAgZmFsbGJhY2tEbnM6IDguOC44LjgKICAgIGxhYmVsczoge30KICAgIG91dGdvaW5nQ29ubmVjdGlvbnM6CiAgICAgIGlwQmxvY2s6CiAgICAgICAgY2lkcjogMC4wLjAuMC8wCiAgICAgICAgZXhjZXB0OgogICAgICAgIC0gMTAwLjY0LjAuMC8xMAogICAgICAgIC0gMTI3LjAuMC4wLzgKICAgICAgICAtIDEwLjAuMC4wLzgKICAgICAgICAtIDE3Mi4xNi4wLjAvMTIKICAgICAgICAtIDE5Mi4xNjguMC4wLzE2CiAgICAgIHBsYXRmb3JtOiB0cnVlCiAgcmVzb3VyY2VRdW90YToKICAgIGFubm90YXRpb25zOiB7fQogICAgZW5hYmxlZDogYXV0bwogICAgbGFiZWxzOiB7fQogICAgcXVvdGE6CiAgICAgIGNvdW50L2NvbmZpZ21hcHM6IDEwMAogICAgICBjb3VudC9lbmRwb2ludHM6IDQwCiAgICAgIGNvdW50L3BlcnNpc3RlbnR2b2x1bWVjbGFpbXM6IDIwCiAgICAgIGNvdW50L3BvZHM6IDIwCiAgICAgIGNvdW50L3NlY3JldHM6IDEwMAogICAgICBjb3VudC9zZXJ2aWNlczogMjAKICAgICAgbGltaXRzLmNwdTogMjAKICAgICAgbGltaXRzLmVwaGVtZXJhbC1zdG9yYWdlOiAxNjBHaQogICAgICBsaW1pdHMubWVtb3J5OiA0MEdpCiAgICAgIHJlcXVlc3RzLmNwdTogMTAKICAgICAgcmVxdWVzdHMuZXBoZW1lcmFsLXN0b3JhZ2U6IDYwR2kKICAgICAgcmVxdWVzdHMubWVtb3J5OiAyMEdpCiAgICAgIHJlcXVlc3RzLnN0b3JhZ2U6IDEwMEdpCiAgICAgIHNlcnZpY2VzLmxvYWRiYWxhbmNlcnM6IDEKICAgICAgc2VydmljZXMubm9kZXBvcnRzOiAwCiAgICBzY29wZVNlbGVjdG9yOgogICAgICBtYXRjaEV4cHJlc3Npb25zOiBbXQogICAgc2NvcGVzOiBbXQpyYmFjOgogIGNsdXN0ZXJSb2xlOgogICAgZW5hYmxlZDogYXV0bwogICAgZXh0cmFSdWxlczogW10KICAgIG92ZXJ3cml0ZVJ1bGVzOiBbXQogIHJvbGU6CiAgICBlbmFibGVkOiB0cnVlCiAgICBleHRyYVJ1bGVzOgogICAgLSBhcGlHcm91cHM6CiAgICAgIC0gIiIKICAgICAgcmVzb3VyY2VzOgogICAgICAtIGVuZHBvaW50cy9yZXN0cmljdGVkCiAgICAgIHZlcmJzOgogICAgICAtIGNyZWF0ZQogICAgb3ZlcndyaXRlUnVsZXM6IFtdCnN5bmM6CiAgZnJvbUhvc3Q6CiAgICBjb25maWdNYXBzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgICBtYXBwaW5nczoKICAgICAgICBieU5hbWU6IHt9CiAgICBjc2lEcml2ZXJzOgogICAgICBlbmFibGVkOiBhdXRvCiAgICBjc2lOb2RlczoKICAgICAgZW5hYmxlZDogYXV0bwogICAgY3NpU3RvcmFnZUNhcGFjaXRpZXM6CiAgICAgIGVuYWJsZWQ6IGF1dG8KICAgIGV2ZW50czoKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgaW5ncmVzc0NsYXNzZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBub2RlczoKICAgICAgY2xlYXJJbWFnZVN0YXR1czogZmFsc2UKICAgICAgZW5hYmxlZDogZmFsc2UKICAgICAgc2VsZWN0b3I6CiAgICAgICAgYWxsOiBmYWxzZQogICAgICAgIGxhYmVsczoge30KICAgICAgc3luY0JhY2tDaGFuZ2VzOiBmYWxzZQogICAgcHJpb3JpdHlDbGFzc2VzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgcnVudGltZUNsYXNzZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBzZWNyZXRzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgICBtYXBwaW5nczoKICAgICAgICBieU5hbWU6IHt9CiAgICBzdG9yYWdlQ2xhc3NlczoKICAgICAgZW5hYmxlZDogYXV0bwogICAgdm9sdW1lU25hcHNob3RDbGFzc2VzOgogICAgICBlbmFibGVkOiBmYWxzZQogIHRvSG9zdDoKICAgIGNvbmZpZ01hcHM6CiAgICAgIGFsbDogZmFsc2UKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgZW5kcG9pbnRzOgogICAgICBlbmFibGVkOiB0cnVlCiAgICBpbmdyZXNzZXM6CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgIG5ldHdvcmtQb2xpY2llczoKICAgICAgZW5hYmxlZDogZmFsc2UKICAgIHBlcnNpc3RlbnRWb2x1bWVDbGFpbXM6CiAgICAgIGVuYWJsZWQ6IHRydWUKICAgIHBlcnNpc3RlbnRWb2x1bWVzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgcG9kRGlzcnVwdGlvbkJ1ZGdldHM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBwb2RzOgogICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGVuZm9yY2VUb2xlcmF0aW9uczogW10KICAgICAgcHJpb3JpdHlDbGFzc05hbWU6ICIiCiAgICAgIHJld3JpdGVIb3N0czoKICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgICAgaW5pdENvbnRhaW5lcjoKICAgICAgICAgIGltYWdlOiBsaWJyYXJ5L2FscGluZTozLjIwCiAgICAgICAgICByZXNvdXJjZXM6CiAgICAgICAgICAgIGxpbWl0czoKICAgICAgICAgICAgICBjcHU6IDMwbQogICAgICAgICAgICAgIG1lbW9yeTogNjRNaQogICAgICAgICAgICByZXF1ZXN0czoKICAgICAgICAgICAgICBjcHU6IDMwbQogICAgICAgICAgICAgIG1lbW9yeTogNjRNaQogICAgICBydW50aW1lQ2xhc3NOYW1lOiAiIgogICAgICB0cmFuc2xhdGVJbWFnZToge30KICAgICAgdXNlU2VjcmV0c0ZvclNBVG9rZW5zOiBmYWxzZQogICAgcHJpb3JpdHlDbGFzc2VzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgc2VjcmV0czoKICAgICAgYWxsOiBmYWxzZQogICAgICBlbmFibGVkOiB0cnVlCiAgICBzZXJ2aWNlQWNjb3VudHM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICBzZXJ2aWNlczoKICAgICAgZW5hYmxlZDogdHJ1ZQogICAgc3RvcmFnZUNsYXNzZXM6CiAgICAgIGVuYWJsZWQ6IGZhbHNlCiAgICB2b2x1bWVTbmFwc2hvdENvbnRlbnRzOgogICAgICBlbmFibGVkOiBmYWxzZQogICAgdm9sdW1lU25hcHNob3RzOgogICAgICBlbmFibGVkOiBmYWxzZQp0ZWxlbWV0cnk6CiAgZW5hYmxlZDogdHJ1ZQ== +kind: Secret +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: vc-config-openshift + namespace: syn-openshift +type: Opaque diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml new file mode 100644 index 0000000..443840c --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/coredns-configmap.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +data: + coredns.yaml: "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: coredns\n\ + \ namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind:\ + \ ClusterRole\nmetadata:\n labels:\n kubernetes.io/bootstrapping: rbac-defaults\n\ + \ name: system:coredns\nrules:\n - apiGroups:\n - \"\"\n resources:\n\ + \ - endpoints\n - services\n - pods\n - namespaces\n verbs:\n\ + \ - list\n - watch\n - apiGroups:\n - discovery.k8s.io\n resources:\n\ + \ - endpointslices\n verbs:\n - list\n - watch\n---\napiVersion:\ + \ rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n annotations:\n\ + \ rbac.authorization.kubernetes.io/autoupdate: \"true\"\n labels:\n kubernetes.io/bootstrapping:\ + \ rbac-defaults\n name: system:coredns\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n\ + \ kind: ClusterRole\n name: system:coredns\nsubjects:\n - kind: ServiceAccount\n\ + \ name: coredns\n namespace: kube-system\n---\napiVersion: v1\nkind: ConfigMap\n\ + metadata:\n name: coredns\n namespace: kube-system\ndata:\n Corefile: |-\n\ + \ .:1053 {\n errors\n health\n ready\n rewrite\ + \ name regex .*\\.nodes\\.vcluster\\.com kubernetes.default.svc.cluster.local\n\ + \ kubernetes cluster.local in-addr.arpa ip6.arpa {\n pods insecure\n\ + \ fallthrough in-addr.arpa ip6.arpa\n }\n hosts /etc/NodeHosts\ + \ {\n ttl 60\n reload 15s\n fallthrough\n \ + \ }\n prometheus :9153\n forward . /etc/resolv.conf\n \ + \ cache 30\n loop\n loadbalance\n }\n \n import /etc/coredns/custom/*.server\n\ + \ NodeHosts: \"\"\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name:\ + \ coredns\n namespace: kube-system\n labels:\n k8s-app: vcluster-kube-dns\n\ + \ kubernetes.io/name: \"CoreDNS\"\nspec:\n replicas: 1\n strategy:\n type:\ + \ RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n selector:\n \ + \ matchLabels:\n k8s-app: vcluster-kube-dns\n template:\n metadata:\n\ + \ labels:\n k8s-app: vcluster-kube-dns\n spec:\n priorityClassName:\ + \ \"\"\n serviceAccountName: coredns\n nodeSelector:\n kubernetes.io/os:\ + \ linux\n topologySpreadConstraints:\n - labelSelector:\n \ + \ matchLabels:\n k8s-app: vcluster-kube-dns\n maxSkew:\ + \ 1\n topologyKey: kubernetes.io/hostname\n whenUnsatisfiable:\ + \ DoNotSchedule\n containers:\n - name: coredns\n image:\ + \ {{.IMAGE}}\n imagePullPolicy: IfNotPresent\n resources:\n\ + \ limits:\n cpu: 1000m\n memory: 170Mi\n\ + \ requests:\n cpu: 20m\n memory: 64Mi\n \ + \ args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n volumeMounts:\n\ + \ - name: config-volume\n mountPath: /etc/coredns\n \ + \ readOnly: true\n - name: custom-config-volume\n \ + \ mountPath: /etc/coredns/custom\n readOnly: true\n \ + \ securityContext:\n runAsNonRoot: true\n runAsUser:\ + \ {{.RUN_AS_USER}}\n runAsGroup: {{.RUN_AS_GROUP}}\n allowPrivilegeEscalation:\ + \ false\n capabilities:\n add:\n - NET_BIND_SERVICE\n\ + \ drop:\n - ALL\n readOnlyRootFilesystem:\ + \ true\n livenessProbe:\n httpGet:\n path: /health\n\ + \ port: 8080\n scheme: HTTP\n initialDelaySeconds:\ + \ 60\n periodSeconds: 10\n timeoutSeconds: 1\n \ + \ successThreshold: 1\n failureThreshold: 3\n readinessProbe:\n\ + \ httpGet:\n path: /ready\n port: 8181\n\ + \ scheme: HTTP\n initialDelaySeconds: 0\n periodSeconds:\ + \ 2\n timeoutSeconds: 1\n successThreshold: 1\n \ + \ failureThreshold: 3\n dnsPolicy: Default\n volumes:\n -\ + \ name: config-volume\n configMap:\n name: coredns\n \ + \ items:\n - key: Corefile\n path: Corefile\n\ + \ - key: NodeHosts\n path: NodeHosts\n - name:\ + \ custom-config-volume\n configMap:\n name: coredns-custom\n\ + \ optional: true\n---\napiVersion: v1\nkind: Service\nmetadata:\n \ + \ name: kube-dns\n namespace: kube-system\n annotations:\n prometheus.io/port:\ + \ \"9153\"\n prometheus.io/scrape: \"true\"\n labels:\n k8s-app: vcluster-kube-dns\n\ + \ kubernetes.io/cluster-service: \"true\"\n kubernetes.io/name: \"CoreDNS\"\ + \nspec:\n type: ClusterIP\n selector:\n k8s-app: vcluster-kube-dns\n ports:\n\ + \ - name: dns\n port: 53\n targetPort: 1053\n protocol: UDP\n\ + \ - name: dns-tcp\n port: 53\n targetPort: 1053\n protocol:\ + \ TCP\n - name: metrics\n port: 9153\n protocol: TCP" +kind: ConfigMap +metadata: + name: vc-coredns-openshift + namespace: syn-openshift diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/headless-service.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/headless-service.yaml new file mode 100644 index 0000000..59179e1 --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/headless-service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: openshift-headless + namespace: syn-openshift +spec: + clusterIP: None + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + publishNotReadyAddresses: true + selector: + app: vcluster + release: openshift diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/ingress.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/ingress.yaml new file mode 100644 index 0000000..fa13b42 --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/ingress.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/ssl-passthrough: 'true' + nginx.ingress.kubernetes.io/ssl-redirect: 'true' + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: openshift + namespace: syn-openshift +spec: + rules: + - host: null + http: + paths: + - backend: + service: + name: openshift + port: + name: https + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - null + secretName: openshift-tls diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/role.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/role.yaml new file mode 100644 index 0000000..12bc100 --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/role.yaml @@ -0,0 +1,85 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: vc-openshift + namespace: syn-openshift +rules: + - apiGroups: + - '' + resources: + - configmaps + - secrets + - services + - pods + - pods/attach + - pods/portforward + - pods/exec + - persistentvolumeclaims + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods/status + - pods/ephemeralcontainers + verbs: + - patch + - update + - apiGroups: + - apps + resources: + - statefulsets + - replicasets + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints + - events + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints + verbs: + - create + - delete + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - apiGroups: + - '' + resources: + - endpoints/restricted + verbs: + - create diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml new file mode 100644 index 0000000..3e526fb --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: vc-openshift + namespace: syn-openshift +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vc-openshift +subjects: + - kind: ServiceAccount + name: vc-openshift + namespace: syn-openshift diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/service.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/service.yaml new file mode 100644 index 0000000..70c402c --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + vcluster.loft.sh/service: 'true' + name: openshift + namespace: syn-openshift +spec: + ports: + - name: https + nodePort: 0 + port: 443 + protocol: TCP + targetPort: 8443 + - name: kubelet + nodePort: 0 + port: 10250 + protocol: TCP + targetPort: 8443 + selector: + app: vcluster + release: openshift + type: ClusterIP diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml new file mode 100644 index 0000000..cf0b600 --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: vc-openshift + namespace: syn-openshift diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/statefulset.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/statefulset.yaml new file mode 100644 index 0000000..77d4dfd --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/statefulset.yaml @@ -0,0 +1,148 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: openshift + namespace: syn-openshift +spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + podManagementPolicy: Parallel + replicas: 1 + selector: + matchLabels: + app: vcluster + release: openshift + serviceName: openshift-headless + template: + metadata: + annotations: + vClusterConfigHash: 783d145bf6774bd8f8dacd011b30d34de5700fe40c1f52d4b5338b5446809028 + labels: + app: vcluster + release: openshift + spec: + containers: + - env: + - name: VCLUSTER_NAME + value: openshift + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: ghcr.io/loft-sh/vcluster-oss:0.24.1 + imagePullPolicy: null + livenessProbe: + failureThreshold: 60 + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 60 + periodSeconds: 2 + timeoutSeconds: 3 + name: syncer + readinessProbe: + failureThreshold: 60 + httpGet: + path: /readyz + port: 8443 + scheme: HTTPS + periodSeconds: 2 + timeoutSeconds: 3 + resources: + limits: + ephemeral-storage: 8Gi + memory: 2Gi + requests: + cpu: 200m + ephemeral-storage: 400Mi + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + startupProbe: + failureThreshold: 300 + httpGet: + path: /readyz + port: 8443 + scheme: HTTPS + periodSeconds: 6 + timeoutSeconds: 3 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /binaries + name: binaries + - mountPath: /pki + name: certs + - mountPath: /.cache/helm + name: helm-cache + - mountPath: /etc/rancher + name: k3s-config + - mountPath: /var/vcluster + name: vcluster-config + - mountPath: /tmp + name: tmp + - mountPath: /manifests/coredns + name: coredns + readOnly: true + enableServiceLinks: true + initContainers: + - args: + - -c + - cp /bin/k3s /binaries/k3s + command: + - /bin/sh + image: docker.io/rancher/k3s:v1.32.1-k3s1 + name: vcluster + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 40m + memory: 64Mi + securityContext: {} + volumeMounts: + - mountPath: /binaries + name: binaries + serviceAccountName: vc-openshift + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: helm-cache + - emptyDir: {} + name: binaries + - emptyDir: {} + name: tmp + - emptyDir: {} + name: certs + - emptyDir: {} + name: k3s-config + - name: vcluster-config + secret: + secretName: vc-config-openshift + - configMap: + name: vc-coredns-openshift + name: coredns + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml new file mode 100644 index 0000000..db23c41 --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/01_vcluster_helmchart/vcluster/templates/workload-serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: vcluster + chart: vcluster-0.24.1 + heritage: Helm + release: openshift + name: vc-workload-openshift + namespace: syn-openshift diff --git a/tests/golden/openshift/openshift/openshift/10_cluster.yaml b/tests/golden/openshift/openshift/openshift/10_cluster.yaml deleted file mode 100644 index 6957c8e..0000000 --- a/tests/golden/openshift/openshift/openshift/10_cluster.yaml +++ /dev/null @@ -1,729 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: vc-openshift - name: vc-openshift - namespace: syn-openshift ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: {} - labels: - name: openshift - name: openshift - namespace: syn-openshift -rules: - - apiGroups: - - '' - resources: - - configmaps - - secrets - - services - - pods - - pods/attach - - pods/portforward - - pods/exec - - endpoints - - persistentvolumeclaims - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - - pods/log - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - - replicasets - - deployments - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - endpoints/restricted - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: openshift - name: openshift - namespace: syn-openshift -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: openshift -subjects: - - kind: ServiceAccount - name: vc-openshift - namespace: syn-openshift ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: {} - labels: - name: syn-vcluster-openshift - name: syn-vcluster-openshift -rules: - - apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: {} - labels: - name: syn-vcluster-openshift - name: syn-vcluster-openshift -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: syn-vcluster-openshift -subjects: - - kind: ServiceAccount - name: vc-openshift - namespace: syn-openshift ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: {} - labels: - name: use-nonroot-v2 - name: use-nonroot-v2 - namespace: syn-openshift -rules: - - apiGroups: - - security.openshift.io - resourceNames: - - nonroot-v2 - resources: - - securitycontextconstraints - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - vcluster.syn.tools/description: Allow vcluster to sync pods with arbitrary nonroot - users by allowing the default ServiceAccount to use the nonroot-v2 scc - labels: - name: default-use-nonroot-v2 - name: default-use-nonroot-v2 - namespace: syn-openshift -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: use-nonroot-v2 -subjects: - - kind: ServiceAccount - name: default - namespace: syn-openshift ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: openshift - name: openshift - namespace: syn-openshift -spec: - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: vcluster - release: openshift - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - annotations: {} - labels: - name: openshift-headless - name: openshift-headless - namespace: syn-openshift -spec: - clusterIP: None - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: vcluster - release: openshift ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - annotations: {} - labels: - name: openshift - name: openshift - namespace: syn-openshift -spec: - replicas: 1 - selector: - matchLabels: - app: vcluster - release: openshift - serviceName: openshift-headless - template: - metadata: - labels: - app: vcluster - release: openshift - spec: - affinity: {} - containers: - - args: - - server - - --write-kubeconfig=/data/k3s-config/kube-config.yaml - - --data-dir=/data - - --disable=traefik,servicelb,metrics-server,local-storage,coredns - - --disable-network-policy - - --disable-agent - - --disable-scheduler - - --disable-cloud-controller - - --flannel-backend=none - - --service-cidr=172.30.0.0/16 - - --kube-controller-manager-arg=controllers=*,-nodeipam,-nodelifecycle,-persistentvolume-binder,-attachdetach,-persistentvolume-expander,-cloud-node-lifecycle - - --tls-san=openshift.syn-openshift.svc.cluster.local - - --tls-san=openshift.syn-openshift.svc - - --tls-san=openshift.syn-openshift - - --tls-san=openshift - command: - - /bin/k3s - env: [] - image: docker.io/rancher/k3s:v1.25.15-k3s1 - name: vcluster - resources: - limits: - memory: 2Gi - requests: - cpu: 200m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/rancher - name: etc-rancher - - args: - - --name=openshift - - --out-kube-config-secret=vc-openshift-kubeconfig - - --sync=ingresses - - --tls-san=openshift.syn-openshift.svc.cluster.local - - --tls-san=openshift.syn-openshift.svc - - --tls-san=openshift.syn-openshift - - --tls-san=openshift - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: docker.io/loftsh/vcluster:0.14.1 - livenessProbe: - failureThreshold: 10 - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 60 - periodSeconds: 2 - name: syncer - readinessProbe: - failureThreshold: 30 - httpGet: - path: /readyz - port: 8443 - scheme: HTTPS - periodSeconds: 2 - resources: - limits: - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /data - name: data - readOnly: true - - mountPath: /manifests/coredns - name: coredns - readOnly: true - nodeSelector: {} - serviceAccountName: vc-openshift - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - configMap: - defaultMode: 420 - name: vc-openshift-coredns - name: coredns - - emptyDir: {} - name: etc-rancher - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - storageClassName: null ---- -apiVersion: v1 -data: - manifests: |+ - --- - -kind: ConfigMap -metadata: - annotations: {} - labels: - name: openshift-init-manifests - name: openshift-init-manifests - namespace: syn-openshift ---- -apiVersion: v1 -data: - coredns.yaml: | - apiVersion: v1 - kind: ServiceAccount - metadata: - name: coredns - namespace: kube-system - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - rules: - - apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - --- - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:coredns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:coredns - subjects: - - kind: ServiceAccount - name: coredns - namespace: kube-system - --- - apiVersion: v1 - kind: ConfigMap - metadata: - name: coredns - namespace: kube-system - data: - Corefile: | - .:1053 { - {{.LOG_IN_DEBUG}} - errors - health - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - } - hosts /etc/coredns/NodeHosts { - ttl 60 - reload 15s - fallthrough - } - prometheus :9153 - forward . /etc/resolv.conf - cache 30 - loop - reload - loadbalance - } - - import /etc/coredns/custom/*.server - NodeHosts: "" - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: coredns - namespace: kube-system - labels: - k8s-app: kube-dns - kubernetes.io/name: "CoreDNS" - spec: - replicas: 1 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - k8s-app: kube-dns - template: - metadata: - labels: - k8s-app: kube-dns - spec: - priorityClassName: "system-cluster-critical" - serviceAccountName: coredns - nodeSelector: - kubernetes.io/os: linux - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - k8s-app: kube-dns - containers: - - name: coredns - image: {{.IMAGE}} - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 1000m - memory: 170Mi - requests: - cpu: 100m - memory: 70Mi - args: [ "-conf", "/etc/coredns/Corefile" ] - volumeMounts: - - name: config-volume - mountPath: /etc/coredns - readOnly: true - - name: custom-config-volume - mountPath: /etc/coredns/custom - readOnly: true - ports: - - containerPort: 1053 - name: dns - protocol: UDP - - containerPort: 1053 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - securityContext: - runAsNonRoot: true - runAsUser: {{.RUN_AS_USER}} - runAsGroup: {{.RUN_AS_GROUP}} - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - livenessProbe: - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /ready - port: 8181 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 2 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - dnsPolicy: Default - volumes: - - name: config-volume - configMap: - name: coredns - items: - - key: Corefile - path: Corefile - - key: NodeHosts - path: NodeHosts - - name: custom-config-volume - configMap: - name: coredns-custom - optional: true - --- - apiVersion: v1 - kind: Service - metadata: - name: kube-dns - namespace: kube-system - annotations: - prometheus.io/port: "9153" - prometheus.io/scrape: "true" - labels: - k8s-app: kube-dns - kubernetes.io/cluster-service: "true" - kubernetes.io/name: "CoreDNS" - spec: - selector: - k8s-app: kube-dns - type: ClusterIP - ports: - - name: dns - port: 53 - targetPort: 1053 - protocol: UDP - - name: dns-tcp - port: 53 - targetPort: 1053 - protocol: TCP - - name: metrics - port: 9153 - protocol: TCP -kind: ConfigMap -metadata: - annotations: {} - labels: - name: vc-openshift-coredns - name: vc-openshift-coredns - namespace: syn-openshift ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: {} - labels: - name: openshift-create-route - name: openshift-create-route - namespace: syn-openshift ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: {} - labels: - name: openshift-create-route - name: openshift-create-route - namespace: syn-openshift -rules: - - apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' - - apiGroups: - - apps - resourceNames: - - openshift - resources: - - statefulsets - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: {} - labels: - name: openshift-create-route - name: openshift-create-route - namespace: syn-openshift -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: openshift-create-route -subjects: - - kind: ServiceAccount - name: openshift-create-route - namespace: syn-openshift ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - argocd.argoproj.io/hook: PostSync - labels: - name: openshift-create-route - name: openshift-create-route - namespace: syn-openshift -spec: - completions: 1 - parallelism: 1 - template: - metadata: - labels: - name: openshift-create-route - spec: - containers: - - args: - - -eu - - -c - - | - #!/bin/sh - set -eu - - vcluster_kubeconfig=/etc/vcluster-kubeconfig/config - - echo "Using kubeconfig: $vcluster_kubeconfig" - - cert=$(kubectl --kubeconfig $vcluster_kubeconfig config view '-o=template={{(index (index .clusters 0).cluster "certificate-authority-data") | base64decode}}' --raw) - - echo "Found certificate:\n$cert" - - echo "Looking for StatefulSet.apps/${VCLUSTER_STS_NAME}..." - - owner=$(kubectl get StatefulSet.apps "$VCLUSTER_STS_NAME" -ojson | jq '{kind: .kind, apiVersion: .apiVersion, name: .metadata.name, uid: .metadata.uid}') - - echo "Found StatefulSet as owner: $owner" - - echo "Applying route..." - - printf "$1" \ - | jq \ - --arg cert "$cert" \ - --argjson owner "$owner" \ - '.metadata.ownerReferences = [$owner] | .spec.tls.destinationCACertificate = $cert' \ - | kubectl apply -f - -oyaml - - echo "Done!" - - -- - - |- - { - "apiVersion": "route.openshift.io/v1", - "kind": "Route", - "metadata": { - "annotations": { - - }, - "labels": { - "name": "openshift" - }, - "name": "openshift", - "namespace": "syn-openshift" - }, - "spec": { - "host": "test.apps.local", - "path": "/", - "port": { - "targetPort": "https" - }, - "tls": { - "insecureEdgeTerminationPolicy": "None", - "termination": "reencrypt" - }, - "to": { - "kind": "Service", - "name": "openshift", - "weight": 100 - }, - "wildcardPolicy": "None" - } - } - command: - - sh - env: - - name: HOME - value: /export - - name: NAMESPACE - value: syn-openshift - - name: VCLUSTER_STS_NAME - value: openshift - image: docker.io/bitnami/kubectl:1.28.15 - imagePullPolicy: IfNotPresent - name: openshift - ports: [] - stdin: false - tty: false - volumeMounts: - - mountPath: /export - name: export - - mountPath: /etc/vcluster-kubeconfig - name: kubeconfig - readOnly: true - workingDir: /export - imagePullSecrets: [] - initContainers: [] - restartPolicy: OnFailure - serviceAccountName: openshift-create-route - terminationGracePeriodSeconds: 30 - volumes: - - emptyDir: {} - name: export - - name: kubeconfig - secret: - secretName: vc-openshift-kubeconfig diff --git a/tests/golden/openshift/openshift/openshift/20_scc_role.yaml b/tests/golden/openshift/openshift/openshift/20_scc_role.yaml new file mode 100644 index 0000000..ede2305 --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/20_scc_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: use-nonroot-v2 + name: use-nonroot-v2 + namespace: syn-openshift +rules: + - apiGroups: + - security.openshift.io + resourceNames: + - nonroot-v2 + resources: + - securitycontextconstraints + verbs: + - use diff --git a/tests/golden/openshift/openshift/openshift/20_scc_role_binding.yaml b/tests/golden/openshift/openshift/openshift/20_scc_role_binding.yaml new file mode 100644 index 0000000..0d2e3ae --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/20_scc_role_binding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + vcluster.syn.tools/description: Allow vcluster to sync pods with arbitrary nonroot + users by allowing the default ServiceAccount to use the nonroot-v2 scc + labels: + name: vcluster-use-nonroot-v2 + name: vcluster-use-nonroot-v2 + namespace: syn-openshift +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: use-nonroot-v2 +subjects: + - kind: ServiceAccount + name: vc-openshift + namespace: syn-openshift diff --git a/tests/oidc.yml b/tests/oidc.yml index f615c5d..5406408 100644 --- a/tests/oidc.yml +++ b/tests/oidc.yml @@ -1,6 +1,5 @@ parameters: vcluster: - host_service_cidr: 172.30.0.0/16 namespace: testns storage: persistence: false @@ -13,7 +12,7 @@ parameters: - --kube-apiserver-arg=oidc-username-claim=email - --kube-apiserver-arg=oidc-groups-claim=groups - additional_manifests: + additional_manifests: |- cluster-admin: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -26,6 +25,5 @@ parameters: subjects: - kind: Group name: admin - syn: registration_url: https://syn.example.com/steward/install.json?token=w84kxjbhf