diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 8b7fb5b..ec82909 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -29,6 +29,11 @@ jobs: args: 'check' test: runs-on: ubuntu-latest + strategy: + matrix: + instance: + - defaults + - openshift4 defaults: run: working-directory: ${{ env.COMPONENT_NAME }} @@ -40,6 +45,11 @@ jobs: run: make test golden: runs-on: ubuntu-latest + strategy: + matrix: + instance: + - defaults + - openshift4 defaults: run: working-directory: ${{ env.COMPONENT_NAME }} @@ -48,4 +58,4 @@ jobs: with: path: ${{ env.COMPONENT_NAME }} - name: Golden diff - run: make golden-diff + run: make golden-diff -e instance=${{ matrix.instance }} diff --git a/.sync.yml b/.sync.yml index fde8e8c..2356ef1 100644 --- a/.sync.yml +++ b/.sync.yml @@ -5,3 +5,11 @@ docs/antora.yml: name: resource-locker title: Resource Locker Operator + +.github/workflows/test.yaml: + goldenTest_makeTarget: golden-diff -e instance=${{ matrix.instance }} + matrix: + key: instance + entries: + - defaults + - openshift4 diff --git a/class/resource-locker.yml b/class/resource-locker.yml index 2059286..830d62c 100644 --- a/class/resource-locker.yml +++ b/class/resource-locker.yml @@ -30,3 +30,9 @@ parameters: input_paths: - resource-locker/helmcharts/resource-locker-operator-${resource_locker:charts:resource-locker-operator}/crds/ output_path: resource-locker/00_crds/ + commodore: + postprocess: + filters: + - type: jsonnet + filter: postprocess/non-openshift.jsonnet + path: resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates diff --git a/postprocess/non-openshift.jsonnet b/postprocess/non-openshift.jsonnet new file mode 100644 index 0000000..741a232 --- /dev/null +++ b/postprocess/non-openshift.jsonnet @@ -0,0 +1,90 @@ +local com = import 'lib/commodore.libjsonnet'; + +local inv = com.inventory(); +local distribution = inv.parameters.facts.distribution; + +local chart_output_dir = std.extVar('output_path'); + +local list_dir(dir, basename=true) = + std.native('list_dir')(dir, basename); + +local chart_files = list_dir(chart_output_dir); +local input_file(elem) = chart_output_dir + '/' + elem; + +local stem(elem) = + local elems = std.split(elem, '.'); + std.join('.', elems[:std.length(elems) - 1]); + +local fixup_deploy(obj) = + obj { + spec+: { + template+: { + spec+: { + containers: [ + c { + ports: [ + { + containerPort: 8080, + name: 'http', + }, + ], + } + for c in super.containers + if c.name != 'kube-rbac-proxy' + ], + volumes: [ + v + for v in super.volumes + if v.name != 'tls-cert' + ], + }, + }, + }, + }; +local fixup_service(obj) = + obj { + spec+: { + ports: [ + { + name: 'http', + port: 8080, + targetPort: 'http', + }, + ], + }, + }; +local fixup_servicemonitor(obj) = + obj { + spec+: { + endpoints: [ + { + interval: '30s', + port: 'http', + scheme: 'http', + }, + ], + }, + }; + +local fixup_obj(obj) = + if obj.kind == 'Deployment' then + fixup_deploy(obj) + else if obj.kind == 'Service' then + fixup_service(obj) + else if obj.kind == 'ServiceMonitor' then + fixup_servicemonitor(obj) + else + obj; + +local fixup(obj_file) = + local objs = std.prune(com.yaml_load_all(obj_file)); + // process all objs + [ fixup_obj(obj) for obj in objs ]; + +if distribution != 'openshift4' then + { + [stem(elem)]: fixup(input_file(elem)) + for elem in chart_files + } +else + {} diff --git a/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/manager.yaml b/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/manager.yaml index 8ad52ce..913ca13 100644 --- a/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/manager.yaml +++ b/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/manager.yaml @@ -22,52 +22,31 @@ spec: operator: resource-locker-operator spec: containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --tls-cert-file=/etc/certs/tls/tls.crt - - --tls-private-key-file=/etc/certs/tls/tls.key - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /etc/certs/tls - name: tls-cert - - args: - - --leader-elect - command: - - /manager - image: quay.io/redhat-cop/resource-locker-operator:v1.1.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: resource-locker-operator - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 20Mi + - args: + - --leader-elect + command: + - /manager + image: quay.io/redhat-cop/resource-locker-operator:v1.1.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: resource-locker-operator + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 20Mi serviceAccountName: resource-locker-operator-controller-manager - volumes: - - name: tls-cert - secret: - defaultMode: 420 - secretName: resource-locker-operator-certs + volumes: [] diff --git a/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/rbac.yaml b/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/rbac.yaml index 1c8977c..3e0d89a 100644 --- a/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/rbac.yaml +++ b/tests/golden/defaults/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/rbac.yaml @@ -10,109 +10,108 @@ metadata: name: resource-locker-operator-leader-election-role namespace: syn-resource-locker rules: - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - '' - resources: - - configmaps/status - verbs: - - get - - update - - patch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - '' + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: resource-locker-operator-manager-role rules: - - apiGroups: - - '' - resources: - - secrets - - serviceaccounts - verbs: - - get - - list - - watch - - apiGroups: - - redhatcop.redhat.io - resources: - - resourcelockers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - redhatcop.redhat.io - resources: - - resourcelockers/status - verbs: - - get - - patch - - update +- apiGroups: + - '' + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - redhatcop.redhat.io + resources: + - resourcelockers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - redhatcop.redhat.io + resources: + - resourcelockers/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: resource-locker-operator-metrics-reader rules: - - nonResourceURLs: - - /metrics - verbs: - - get +- nonResourceURLs: + - /metrics + verbs: + - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: resource-locker-operator-proxy-role rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -124,9 +123,9 @@ roleRef: kind: Role name: resource-locker-operator-leader-election-role subjects: - - kind: ServiceAccount - name: resource-locker-operator-controller-manager - namespace: syn-resource-locker +- kind: ServiceAccount + name: resource-locker-operator-controller-manager + namespace: syn-resource-locker --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -137,9 +136,9 @@ roleRef: kind: ClusterRole name: resource-locker-operator-manager-role subjects: - - kind: ServiceAccount - name: resource-locker-operator-controller-manager - namespace: syn-resource-locker +- kind: ServiceAccount + name: resource-locker-operator-controller-manager + namespace: syn-resource-locker --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -150,9 +149,9 @@ roleRef: kind: ClusterRole name: resource-locker-operator-proxy-role subjects: - - kind: ServiceAccount - name: resource-locker-operator-controller-manager - namespace: syn-resource-locker +- kind: ServiceAccount + name: resource-locker-operator-controller-manager + namespace: syn-resource-locker --- apiVersion: v1 kind: Service @@ -165,9 +164,9 @@ metadata: namespace: syn-resource-locker spec: ports: - - name: https - port: 8443 - targetPort: https + - name: http + port: 8080 + targetPort: http selector: operator: resource-locker-operator --- @@ -180,13 +179,9 @@ metadata: namespace: syn-resource-locker spec: endpoints: - - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - interval: 30s - port: https - scheme: https - tlsConfig: - caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt - serverName: resource-locker-operator-controller-manager-metrics.syn-resource-locker.svc + - interval: 30s + port: http + scheme: http selector: matchLabels: operator: resource-locker-operator diff --git a/tests/golden/openshift4/resource-locker/apps/resource-locker.yaml b/tests/golden/openshift4/resource-locker/apps/resource-locker.yaml new file mode 100644 index 0000000..e69de29 diff --git a/tests/golden/openshift4/resource-locker/resource-locker/00_crds/crds.yaml b/tests/golden/openshift4/resource-locker/resource-locker/00_crds/crds.yaml new file mode 100644 index 0000000..b454ff7 --- /dev/null +++ b/tests/golden/openshift4/resource-locker/resource-locker/00_crds/crds.yaml @@ -0,0 +1,298 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: resourcelockers.redhatcop.redhat.io +spec: + group: redhatcop.redhat.io + names: + kind: ResourceLocker + listKind: ResourceLockerList + plural: resourcelockers + singular: resourcelocker + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The service account used to create and enfoce these resources and patches, must have required permissions via RBAC + jsonPath: .spec.serviceAccountRef.name + name: SERVICE ACCOUNT + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ResourceLocker Represents the intetion to create and enforce a set of resources and/or patches. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ResourceLockerSpec defines the desired state of ResourceLocker + properties: + patches: + description: Patches is a list of patches that should be enforced at runtime. + items: + description: Patch describes a patch to be enforced at runtime + properties: + id: + description: ID represents a unique Identifier for this patch + type: string + patchTemplate: + description: PatchTemplate is a go template that will be resolved using the SourceObjectRefs as parameters. The result must be a valid patch based on the pacth type and the target object. + type: string + patchType: + description: PatchType is the type of patch to be applied, one of "application/json-patch+json"'"application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml" default:="application/strategic-merge-patch+json" + enum: + - application/json-patch+json + - application/merge-patch+json + - application/strategic-merge-patch+json + - application/apply-patch+yaml + type: string + sourceObjectRefs: + description: SourceObject refs is an arrays of refereces to source objects that will be used as input for the template processing + items: + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + x-kubernetes-list-type: atomic + targetObjectRef: + description: TargetObjectRef is a reference to the object to which the pacth should be applied. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - id + - patchTemplate + - targetObjectRef + type: object + type: array + x-kubernetes-list-map-keys: + - id + x-kubernetes-list-type: map + resources: + items: + description: Resource represent a resource to be enforced + properties: + excludedPaths: + items: + type: string + type: array + x-kubernetes-list-type: set + object: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - object + type: object + type: array + x-kubernetes-list-type: atomic + serviceAccountRef: + description: 'ServiceAccountRef is the service account to be used to run the controllers associated with this configuration kubebuilder:default:="{Name: "default"}"' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: object + status: + description: ResourceLockerStatus defines the observed state of ResourceLocker + properties: + conditions: + description: ReconcileStatus this is the general status of the main reconciler + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + lockedPatchStatuses: + additionalProperties: + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + description: LockedResourceStatuses contains the reconcile status for each of the managed resources + type: object + lockedResourceStatuses: + additionalProperties: + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + description: LockedResourceStatuses contains the reconcile status for each of the managed resources + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/tests/golden/openshift4/resource-locker/resource-locker/00_namespace.yaml b/tests/golden/openshift4/resource-locker/resource-locker/00_namespace.yaml new file mode 100644 index 0000000..3118660 --- /dev/null +++ b/tests/golden/openshift4/resource-locker/resource-locker/00_namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: {} + labels: + name: syn-resource-locker + name: syn-resource-locker diff --git a/tests/golden/openshift4/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/manager.yaml b/tests/golden/openshift4/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/manager.yaml new file mode 100644 index 0000000..8ad52ce --- /dev/null +++ b/tests/golden/openshift4/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/manager.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: resource-locker-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: resource-locker-operator + app.kubernetes.io/version: v1.1.0 + helm.sh/chart: resource-locker-operator-v1.1.0 + name: resource-locker-operator +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: resource-locker-operator + app.kubernetes.io/name: resource-locker-operator + template: + metadata: + labels: + app.kubernetes.io/instance: resource-locker-operator + app.kubernetes.io/name: resource-locker-operator + operator: resource-locker-operator + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --tls-cert-file=/etc/certs/tls/tls.crt + - --tls-private-key-file=/etc/certs/tls/tls.key + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + resources: + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /etc/certs/tls + name: tls-cert + - args: + - --leader-elect + command: + - /manager + image: quay.io/redhat-cop/resource-locker-operator:v1.1.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: resource-locker-operator + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 20Mi + serviceAccountName: resource-locker-operator-controller-manager + volumes: + - name: tls-cert + secret: + defaultMode: 420 + secretName: resource-locker-operator-certs diff --git a/tests/golden/openshift4/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/rbac.yaml b/tests/golden/openshift4/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/rbac.yaml new file mode 100644 index 0000000..1c8977c --- /dev/null +++ b/tests/golden/openshift4/resource-locker/resource-locker/01_resource_locker_operator_helmchart/resource-locker-operator/templates/rbac.yaml @@ -0,0 +1,192 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: resource-locker-operator-controller-manager + namespace: syn-resource-locker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: resource-locker-operator-leader-election-role + namespace: syn-resource-locker +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - configmaps/status + verbs: + - get + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: resource-locker-operator-manager-role +rules: + - apiGroups: + - '' + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - resourcelockers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redhatcop.redhat.io + resources: + - resourcelockers/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: resource-locker-operator-metrics-reader +rules: + - nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: resource-locker-operator-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: resource-locker-operator-leader-election-rolebinding + namespace: syn-resource-locker +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: resource-locker-operator-leader-election-role +subjects: + - kind: ServiceAccount + name: resource-locker-operator-controller-manager + namespace: syn-resource-locker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: resource-locker-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: resource-locker-operator-manager-role +subjects: + - kind: ServiceAccount + name: resource-locker-operator-controller-manager + namespace: syn-resource-locker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: resource-locker-operator-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: resource-locker-operator-proxy-role +subjects: + - kind: ServiceAccount + name: resource-locker-operator-controller-manager + namespace: syn-resource-locker +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: resource-locker-operator-certs + labels: + operator: resource-locker-operator + name: resource-locker-operator-controller-manager-metrics + namespace: syn-resource-locker +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + operator: resource-locker-operator +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + name: resource-locker-operator-controller-manager-metrics-monitor + namespace: syn-resource-locker +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + port: https + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + serverName: resource-locker-operator-controller-manager-metrics.syn-resource-locker.svc + selector: + matchLabels: + operator: resource-locker-operator diff --git a/tests/golden/openshift4/resource-locker/resource-locker/10_upgrade_job.yaml b/tests/golden/openshift4/resource-locker/resource-locker/10_upgrade_job.yaml new file mode 100644 index 0000000..bf5fec9 --- /dev/null +++ b/tests/golden/openshift4/resource-locker/resource-locker/10_upgrade_job.yaml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-10' + labels: + name: delete-operator-deployment + name: delete-operator-deployment + namespace: syn-resource-locker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-10' + labels: + name: delete-operator-deployment + name: delete-operator-deployment + namespace: syn-resource-locker +rules: + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-10' + labels: + name: delete-operator-deployment + name: delete-operator-deployment + namespace: syn-resource-locker +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: delete-operator-deployment +subjects: + - kind: ServiceAccount + name: delete-operator-deployment + namespace: syn-resource-locker +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd.argoproj.io/sync-wave: '-10' + labels: + name: delete-operator-deployment + name: delete-operator-deployment + namespace: syn-resource-locker +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: delete-operator-deployment + spec: + containers: + - args: [] + command: + - bash + - -c + - "#!/bin/bash\n\nset -eo pipefail\n\nif ! kubectl -n \"${NAMESPACE}\"\ + \ get deployment resource-locker-operator; then\n echo \"No resource\ + \ locker operator deployment found, exiting...\"\n exit 0\nfi\n\nchart_version=$(kubectl\ + \ -n \"${NAMESPACE}\" get deployment resource-locker-operator \\\n \ + \ -ojsonpath='{.metadata.labels.helm\\.sh/chart}')\n\nif [ \"${chart_version}\"\ + \ != \"resource-locker-operator-${NEW_VERSION}\" ]; then\n echo \"\ + Deleting resource locker operator deployment...\"\n kubectl -n \"${NAMESPACE}\"\ + \ delete --wait=true --cascade=foreground deployment resource-locker-operator\n\ + else\n echo \"No chart version change, exiting...\"\nfi\nexit 0\n" + env: + - name: HOME + value: /work + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NEW_VERSION + value: v1.1.0 + image: quay.io/bitnami/kubectl:1.21.5 + imagePullPolicy: IfNotPresent + name: delete-deployment + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /work + name: work + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: delete-operator-deployment + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: work diff --git a/tests/openshift4.yml b/tests/openshift4.yml new file mode 100644 index 0000000..4778c3a --- /dev/null +++ b/tests/openshift4.yml @@ -0,0 +1,4 @@ +parameters: + facts: + distribution: openshift4 + resource_locker: {}