Merge branch 'main' into feature/oss-25-publish-versioned-chart

Author: ekampf

CHANGELOG.md

@@ -1,6 +1,93 @@
 # CHANGELOG
 
 
+## v0.14.1 (2024-12-16)
+
+### Bug Fixes
+
+- Allow extra env vars in the operator's Chart
+  ([#491](https://github.com/Twingate/kubernetes-operator/pull/491),
+  [`81bf885`](https://github.com/Twingate/kubernetes-operator/commit/81bf885b6c5c27dc075dab8b1f932f36170bff9c))
+
+
+## v0.14.0 (2024-12-16)
+
+### Chores
+
+- Bump github.com/gruntwork-io/terratest from 0.47.2 to 0.48.0
+  ([#480](https://github.com/Twingate/kubernetes-operator/pull/480),
+  [`16dba29`](https://github.com/Twingate/kubernetes-operator/commit/16dba292e42961e6347df224ec36e2efb2a360ab))
+
+Signed-off-by: dependabot[bot] <support@github.com>
+
+Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+
+- Bump golang.org/x/crypto from 0.21.0 to 0.31.0
+  ([#482](https://github.com/Twingate/kubernetes-operator/pull/482),
+  [`48b5ad1`](https://github.com/Twingate/kubernetes-operator/commit/48b5ad113fb5167d7c692cebdbe2c14bdc53ca5f))
+
+Signed-off-by: dependabot[bot] <support@github.com>
+
+Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+
+- Bump google-cloud-artifact-registry from 1.13.1 to 1.14.0
+  ([#484](https://github.com/Twingate/kubernetes-operator/pull/484),
+  [`baeb563`](https://github.com/Twingate/kubernetes-operator/commit/baeb563f2fa9dc64fb69c78f5f3a2345ba3b0c12))
+
+Signed-off-by: dependabot[bot] <support@github.com>
+
+Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+
+- Bump kopf from 1.37.3 to 1.37.4 ([#488](https://github.com/Twingate/kubernetes-operator/pull/488),
+  [`f17436f`](https://github.com/Twingate/kubernetes-operator/commit/f17436fbd595fea4dc579acd3ded66bfad588ccb))
+
+Signed-off-by: dependabot[bot] <support@github.com>
+
+Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+
+- Bump pydantic-settings from 2.6.1 to 2.7.0
+  ([#483](https://github.com/Twingate/kubernetes-operator/pull/483),
+  [`f43c3c3`](https://github.com/Twingate/kubernetes-operator/commit/f43c3c3f050ea5ab143fa6badc559f546e9ebda8))
+
+Signed-off-by: dependabot[bot] <support@github.com>
+
+Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+
+Co-authored-by: Eran Kampf <eran@ekampf.com>
+
+- Bump python-semantic-release from 9.15.1 to 9.15.2
+  ([#489](https://github.com/Twingate/kubernetes-operator/pull/489),
+  [`d911b83`](https://github.com/Twingate/kubernetes-operator/commit/d911b83ca3ad6240a56544033ab8cebbcb1d9d55))
+
+Signed-off-by: dependabot[bot] <support@github.com>
+
+Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+
+- Bump ruff from 0.8.2 to 0.8.3 ([#485](https://github.com/Twingate/kubernetes-operator/pull/485),
+  [`8a600a0`](https://github.com/Twingate/kubernetes-operator/commit/8a600a09a7e16cb5b04d43eb807f3c8770a8be25))
+
+Signed-off-by: dependabot[bot] <support@github.com>
+
+Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
+
+- Fix README markdownlint warnings
+  ([`c623d90`](https://github.com/Twingate/kubernetes-operator/commit/c623d9030e3266ab3ca4e141aee7d25079d3c228))
+
+### Features
+
+- Allow using a pull thru docker cache with the imagepolicy schedule
+  ([#477](https://github.com/Twingate/kubernetes-operator/pull/477),
+  [`81fdb30`](https://github.com/Twingate/kubernetes-operator/commit/81fdb30022b8b7185c7148607b61dd1b7c5bb755))
+
+Co-authored-by: Lior Rozner <1411811+liorr@users.noreply.github.com>
+
+- Enable Configuration of Kopf Watch Settings via Environment Variables
+  ([#487](https://github.com/Twingate/kubernetes-operator/pull/487),
+  [`3da4225`](https://github.com/Twingate/kubernetes-operator/commit/3da4225865e767fe8ca74477f477bf2b3ca8fc02))
+
+Co-authored-by: Eran Kampf <205185+ekampf@users.noreply.github.com>
+
+
 ## v0.13.0 (2024-12-06)
 
 ### Bug Fixes

Makefile

@@ -64,7 +64,7 @@ test-cov:
 
 .PHONY: test-int
 test-int:
-	poetry run pytest  -m "integration" -v -x
+	poetry run pytest  -m "integration" -vv -l -x
 
 .PHONY: report-to-coveralls
 report-to-coveralls:

README.md

@@ -12,8 +12,11 @@ and manage Twingate resources within a Kubernetes environment. It provides
 seamless integration between your Kubernetes clusters and the Twingate Zero
 Trust Network.
 
-[Wiki](https://github.com/Twingate/kubernetes-operator/wiki)  |  [Getting Started](https://github.com/Twingate/kubernetes-operator/wiki/Getting-Started)  |  [API Reference](https://github.com/Twingate/kubernetes-operator/wiki/API-Reference)
+[Wiki][1]  |  [Getting Started][2]  |  [API Reference][3]
 
+[1]: https://github.com/Twingate/kubernetes-operator/wiki
+[2]: https://github.com/Twingate/kubernetes-operator/wiki/Getting-Started
+[3]: https://github.com/Twingate/kubernetes-operator/wiki/API-Reference
 
 ## Prerequisites
 

app/settings.py

@@ -5,6 +5,7 @@
 from base64 import b64decode
 from typing import Annotated, ClassVar
 
+import kopf
 from pydantic.functional_validators import AfterValidator
 from pydantic_core._pydantic_core import ValidationError
 from pydantic_settings import BaseSettings, SettingsConfigDict
@@ -36,6 +37,10 @@ class TwingateOperatorSettings(BaseSettings):
     remote_network_id: GlobalID = NULL_RN_ID
     remote_network_name: str | None = None
     host: str = "twingate.com"
+    kopf_watching_server_timeout: float | None = None
+    kopf_watching_client_timeout: float | None = None
+    kopf_watching_connect_timeout: float | None = None
+    kopf_watching_reconnect_backoff: float | None = None
 
     @property
     def full_url(self) -> str:
@@ -56,6 +61,16 @@ def __init__(self, *args, **kwargs):
         if self.remote_network_id == self.NULL_RN_ID:
             raise ValidationError("Remote network id is required")
 
+    def update_kopf_watching_settings(self, settings: kopf.OperatorSettings):
+        if self.kopf_watching_server_timeout:
+            settings.watching.server_timeout = self.kopf_watching_server_timeout
+        if self.kopf_watching_client_timeout:
+            settings.watching.client_timeout = self.kopf_watching_client_timeout
+        if self.kopf_watching_connect_timeout:
+            settings.watching.connect_timeout = self.kopf_watching_connect_timeout
+        if self.kopf_watching_reconnect_backoff:
+            settings.watching.reconnect_backoff = self.kopf_watching_reconnect_backoff
+
 
 __settings: TwingateOperatorSettings | None = None
 __version: str | None = None

app/version_policy_providers/dockerhub.py

@@ -8,8 +8,8 @@
 class DockerhubVersionPolicyProvider(VersionPolicyProvider):
     _DOCKER_HUB_API_BASE_URL = "https://hub.docker.com/v2"
 
-    def __init__(self, repository: str | None = None):
-        self.repository = repository or "twingate/connector"
+    def __init__(self, _repository: str | None = None):
+        self.repository = "twingate/connector"
         self.tags_api_url = (
             f"{self._DOCKER_HUB_API_BASE_URL}/repositories/{self.repository}/tags"
         )

deploy/test/golden/extraEnvVars.golden.yaml

@@ -0,0 +1,145 @@
+---
+# Source: twingate-operator/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test-twingate-operator
+  namespace: default
+  labels:
+    helm.sh/chart: twingate-operator-major.minor.patch-test
+    app.kubernetes.io/name: twingate-operator
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: twingate-operator/templates/secrets.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-twingate-operator
+  namespace: default
+  labels:
+    helm.sh/chart: twingate-operator-major.minor.patch-test
+    app.kubernetes.io/name: twingate-operator
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: Helm
+data:
+  TWINGATE_API_KEY: PGFwaSBrZXk+
+---
+# Source: twingate-operator/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test-twingate-operator-role-cluster
+rules:
+  # Framework: runtime observation of namespaces & CRDs (addition/deletion).
+  - apiGroups: [apiextensions.k8s.io]
+    resources: [customresourcedefinitions]
+    verbs: [list, watch]
+  - apiGroups: [""]
+    resources: [namespaces]
+    verbs: [list, watch]
+  - apiGroups: ["", "events.k8s.io"]
+    resources: [events]
+    verbs: ['*']
+
+  # Framework: admission webhook configuration management.
+  - apiGroups: [admissionregistration.k8s.io/v1, admissionregistration.k8s.io/v1beta1]
+    resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
+    verbs: [create, patch]
+
+  # Application
+  - apiGroups: [twingate.com]
+    resources: [twingateresources, twingateresourceaccesses, twingateconnectors, twingategroups]
+    verbs: [list, watch, patch, get, create]
+
+  - apiGroups: ["*"]
+    resources: [pods, services, secrets, services/status]
+    verbs: [list, watch, patch, get, create, delete]
+---
+# Source: twingate-operator/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-twingate-operator-rolebinding-cluster
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-twingate-operator-role-cluster
+subjects:
+  - kind: ServiceAccount
+    name: test-twingate-operator
+    namespace: default
+---
+# Source: twingate-operator/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-twingate-operator
+  namespace: default
+  labels:
+    helm.sh/chart: twingate-operator-major.minor.patch-test
+    app.kubernetes.io/name: twingate-operator
+    app.kubernetes.io/instance: test
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: twingate-operator
+      app.kubernetes.io/instance: test
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: twingate-operator
+        app.kubernetes.io/instance: test
+    spec:
+      serviceAccountName: test-twingate-operator
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: twingate-operator
+        securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+        image: "twingate/kubernetes-operator:latest"
+        imagePullPolicy: IfNotPresent
+        command:
+          - kopf
+          - run
+          - ./main.py
+          - "-A"
+          - "--standalone"
+          - "--liveness=http://0.0.0.0:8080/healthz"
+          - "--log-format=full"
+        env:
+          - name: TWINGATE_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: test-twingate-operator
+                key: TWINGATE_API_KEY
+          - name: TWINGATE_NETWORK
+            value: <network slug>
+          - name: TWINGATE_HOST
+            value: twingate.com
+          - name: TWINGATE_REMOTE_NETWORK_ID
+            value: <remote network id>
+          - name: FOO
+            value: "BAR"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+        resources:
+            {}

deploy/test/golden/extraEnvVars.yaml

@@ -0,0 +1,9 @@
+twingateOperator:
+  apiKey: "<api key>"
+  network: "<network slug>"
+  remoteNetworkId: "<remote network id>"
+
+
+extraEnvVars:
+  - name: FOO
+    value: BAR

deploy/twingate-operator/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubernetes-operator-chart
 description: A Helm chart for installing twingate-operator
 type: application
-version: 0.1.9
+version: 0.1.12
 home: https://twingate.com
 sources:
   - https://github.com/Twingate/kubernetes-operator

deploy/twingate-operator/crds/twingate.com.twingateconnector.yaml

@@ -65,14 +65,17 @@ spec:
                     properties:
                       provider:
                         type: string
-                        description: "Provider to use for checking for new versions."
+                        description: >
+                          Provider determines how the operator looks for a new connector version.
+                            * dockerhub: Check Twingate's official DockerHub repository (`twingate/connector`) for new tags.
+                            * google: Check Google Container Registry specified by the `repository` value for new tags.
                         enum:
                           - dockerhub
                           - google
                       repository:
                         type: string
                         default: twingate/connector
-                        description: "Repository to check for new versions tags."
+                        description: "Repository to use for pod's image."
                       schedule:
                         type: string
                         description: "Cron schedule to check for new versions."
@@ -85,15 +88,19 @@ spec:
                         description: "Allow pre-release versions."
                 containerExtra:
                   type: object
+                  description: "Extra container configuration for the Connector Pod."
                   x-kubernetes-preserve-unknown-fields: true
                 podExtra:
                   type: object
+                  description: "Extra pod configuration for the Connector Pod."
                   x-kubernetes-preserve-unknown-fields: true
                 podAnnotations:
                   type: object
+                  description: "Extra annotations to add to the Connector Pod."
                   x-kubernetes-preserve-unknown-fields: true
                 podLabels:
                   type: object
+                  description: "Extra labels to add to the Connector Pod."
                   x-kubernetes-preserve-unknown-fields: true
                 sidecarContainers:
                   type: array

deploy/twingate-operator/templates/deployment.yaml

@@ -70,6 +70,12 @@ spec:
           - name: TWINGATE_REMOTE_NETWORK_NAME
             value: {{ .Values.twingateOperator.remoteNetworkName }}
           {{- end }}
+          {{- with .Values.extraEnvVars }}
+          {{- range . }}
+          - name: {{ .name }}
+            value: {{ .value | quote }}
+          {{- end }}
+          {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz

deploy/twingate-operator/values.schema.json

@@ -43,6 +43,12 @@
                 "pullPolicy": "Always"
             }]
         },
+        "extraEnvVars": {
+            "type": "array",
+            "description": "Array with extra environment variables to add to the operator container",
+            "default": [],
+            "items": {}
+        },
         "twingateOperator": {
             "type": "object",
             "default": {},