diff --git a/Makefile b/Makefile index 78c8620b..1244a0a5 100644 --- a/Makefile +++ b/Makefile @@ -53,6 +53,7 @@ all: manager cosmoctl dashboard manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. ifeq ($(QUICK_BUILD),no) $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./api/..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./internal/webhooks" output:crd:artifacts:config=config/crd/bases endif .PHONY: generate diff --git a/charts/Makefile b/charts/Makefile index d237df9a..79decb3f 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -2,6 +2,8 @@ HELM = ../bin/helm KUSTOMIZE = ../bin/kustomize +all: crd cosmo-username-headers-addon.yaml webhook.yaml + helm: make -C ../ helm @@ -19,8 +21,6 @@ test: chartsnap helm helm-dependency-update test-list: grep -R '{{[-|] if .*}}' cosmo/templates/* | grep .Values | awk -F':' '{print $$2}' | sed -n 's/.*\(.Values[^ ]*\).*/\1/p' | tr -d ')' | sort | uniq | awk -F'.Values.' '{print $$2}' > cosmo/test/if-values.list -update-charts: crd cosmo-username-headers-addon.yaml webhook.yaml - crd: cp ../config/crd/bases/* cosmo/crds/ @@ -40,6 +40,6 @@ webhook.yaml: $(KUSTOMIZE) build ../config/webhook-chart \ | sed -e 's/namespace: system/namespace: {{ .Release.Namespace }}/g' \ | sed -z 's;apiVersion: v1\nkind: Service\nmetadata:\n name: cosmo-webhook-service\n namespace: {{ .Release.Namespace }}\nspec:\n ports:\n - port: 443\n targetPort: 9443\n selector:\n control-plane: controller-manager\n---;{{ $$tls := fromYaml ( include "cosmo.webhook.gen-certs" . ) }}\n---\n{{- if $$.Values.controllerManager.webhook.enabled }};g' \ - | sed -z 's;creationTimestamp: null;{{- if $$.Values.certManager.enabled }}\n annotations:\n cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert\n {{- end }}\n labels:\n {{- include "cosmo.labels" . | nindent 4 }};g' \ + | sed -z 's;metadata:\n;metadata:\n{{- if $$.Values.certManager.enabled }}\n annotations:\n cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert\n {{- end }}\n labels:\n {{- include "cosmo.labels" . | nindent 4 }}\n;g' \ | sed -z 's;clientConfig:;clientConfig:\n caBundle: {{ if not $$.Values.certManager.enabled -}}{{ $$tls.caCert }}{{- else -}}Cg=={{ end }};g' > $(WEBHOOK_CHART_YAML) echo '{{- end }}' >> $(WEBHOOK_CHART_YAML) diff --git a/charts/cosmo/templates/controller-manager/webhook.yaml b/charts/cosmo/templates/controller-manager/webhook.yaml index 87b88fcf..40c6f51c 100644 --- a/charts/cosmo/templates/controller-manager/webhook.yaml +++ b/charts/cosmo/templates/controller-manager/webhook.yaml @@ -4,7 +4,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - {{- if $.Values.certManager.enabled }} +{{- if $.Values.certManager.enabled }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert {{- end }} @@ -22,7 +22,7 @@ webhooks: namespace: {{ .Release.Namespace }} path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -32,7 +32,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -44,7 +44,7 @@ webhooks: namespace: {{ .Release.Namespace }} path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -54,7 +54,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -104,7 +104,7 @@ webhooks: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - {{- if $.Values.certManager.enabled }} +{{- if $.Values.certManager.enabled }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert {{- end }} @@ -134,6 +134,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: {{ if not $.Values.certManager.enabled -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }} + service: + name: cosmo-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -156,6 +178,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: {{ if not $.Values.certManager.enabled -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }} + service: + name: cosmo-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap b/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap index 9f134abe..e8a5951c 100644 --- a/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap +++ b/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -922,6 +945,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1029,7 +1053,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1039,7 +1063,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1051,7 +1075,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1061,7 +1085,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1173,6 +1197,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1195,6 +1241,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap index 0167bb1f..0d6058d6 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap @@ -292,6 +292,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -528,6 +545,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -819,6 +840,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -908,6 +931,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1030,7 +1054,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1040,7 +1064,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1052,7 +1076,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1062,7 +1086,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1174,6 +1198,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1196,6 +1242,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap index 94a28218..f6b63771 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -816,6 +837,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -905,6 +928,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1027,7 +1051,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1037,7 +1061,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1049,7 +1073,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1059,7 +1083,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1171,6 +1195,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1193,6 +1239,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap index c0092305..e8d4aa98 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap @@ -292,6 +292,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -505,6 +522,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -788,6 +809,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -877,6 +900,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -999,7 +1023,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1009,7 +1033,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1021,7 +1045,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1031,7 +1055,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1143,6 +1167,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1165,6 +1211,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap index 4f8df1f6..42f9dea7 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap @@ -292,6 +292,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -528,6 +545,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -828,6 +849,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -917,6 +940,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap index 1cbe1551..3322457b 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -835,6 +856,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -924,6 +947,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1046,7 +1070,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1056,7 +1080,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1068,7 +1092,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1078,7 +1102,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1190,6 +1214,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1212,6 +1258,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap b/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap index fe76e54d..23b6047b 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -832,6 +853,7 @@ spec: - --graceful-shutdown-seconds=10 - --timeout-seconds=5 - --insecure + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -914,6 +936,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -998,7 +1021,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1008,7 +1031,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1020,7 +1043,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1030,7 +1053,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1142,6 +1165,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1164,6 +1209,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap index 478d56e0..4e4f3dbe 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 - --ldap-url=ldap://example.com:389 - --ldap-insecure-skip-verify=false - --ldap-start-tls=false @@ -930,6 +953,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1052,7 +1076,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1062,7 +1086,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1074,7 +1098,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1084,7 +1108,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1196,6 +1220,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1218,6 +1264,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap index 54acff55..bcac1c86 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 - --ldap-url=ldap://example.com:389 - --ldap-insecure-skip-verify=false - --ldap-start-tls=false @@ -930,6 +953,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1052,7 +1076,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1062,7 +1086,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1074,7 +1098,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1084,7 +1108,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1196,6 +1220,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1218,6 +1264,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap b/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap index 9092c58d..53c47004 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -922,6 +945,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1044,7 +1068,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1054,7 +1078,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1066,7 +1090,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1076,7 +1100,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1188,6 +1212,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1210,6 +1256,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap b/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap index 057666f7..79cda6ec 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=300 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -922,6 +945,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1044,7 +1068,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1054,7 +1078,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1066,7 +1090,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1076,7 +1100,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1188,6 +1212,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1210,6 +1256,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-default.snap b/charts/cosmo/test/__snapshots__/test-default.snap index 91453feb..befd7bbd 100644 --- a/charts/cosmo/test/__snapshots__/test-default.snap +++ b/charts/cosmo/test/__snapshots__/test-default.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -922,6 +945,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1044,7 +1068,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1054,7 +1078,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1066,7 +1090,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1076,7 +1100,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1188,6 +1212,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1210,6 +1256,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap b/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap index 1cb96042..98024b5a 100644 --- a/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap +++ b/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -922,6 +945,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1044,7 +1068,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1054,7 +1078,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1066,7 +1090,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1076,7 +1100,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1188,6 +1212,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1210,6 +1256,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-localRunTest.snap b/charts/cosmo/test/__snapshots__/test-localRunTest.snap index 99d15b29..4d8e2e32 100644 --- a/charts/cosmo/test/__snapshots__/test-localRunTest.snap +++ b/charts/cosmo/test/__snapshots__/test-localRunTest.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -526,6 +543,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 - name: cosmo-dashboard-ui-server port: 3000 protocol: TCP @@ -829,6 +850,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -918,6 +941,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1091,7 +1115,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1101,7 +1125,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1113,7 +1137,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1123,7 +1147,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1235,6 +1259,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1257,6 +1303,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-logging.snap b/charts/cosmo/test/__snapshots__/test-logging.snap index b9500b70..4d68bf0e 100644 --- a/charts/cosmo/test/__snapshots__/test-logging.snap +++ b/charts/cosmo/test/__snapshots__/test-logging.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -835,6 +856,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -924,6 +947,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1046,7 +1070,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1056,7 +1080,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1068,7 +1092,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1078,7 +1102,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1190,6 +1214,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1212,6 +1258,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-nameOverride.snap b/charts/cosmo/test/__snapshots__/test-nameOverride.snap index 4035c938..9ba92935 100644 --- a/charts/cosmo/test/__snapshots__/test-nameOverride.snap +++ b/charts/cosmo/test/__snapshots__/test-nameOverride.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -833,6 +854,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -922,6 +945,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1044,7 +1068,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1054,7 +1078,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1066,7 +1090,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1076,7 +1100,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1188,6 +1212,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1210,6 +1256,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap b/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap index 89bd1a71..c96f56ed 100644 --- a/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap +++ b/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap @@ -294,6 +294,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -530,6 +547,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -839,6 +860,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -928,6 +951,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1050,7 +1074,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1060,7 +1084,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1072,7 +1096,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1082,7 +1106,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1194,6 +1218,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1216,6 +1262,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap b/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap index e48e4ee2..6311f24b 100644 --- a/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap +++ b/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap @@ -219,6 +219,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/templates/controller-manager/roles.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -410,6 +427,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -565,6 +586,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -639,6 +662,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -740,7 +764,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -750,7 +774,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -762,7 +786,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -772,7 +796,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -884,6 +908,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -906,6 +952,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap b/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap index a35f45f2..25745247 100644 --- a/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap +++ b/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap @@ -268,6 +268,23 @@ rules: - get - list - watch +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - get + - list + - watch --- # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml kind: ClusterRoleBinding @@ -504,6 +521,10 @@ spec: port: 8443 protocol: TCP targetPort: 8443 + - name: incluster-insecure-server + port: 8080 + protocol: TCP + targetPort: 8080 selector: cosmo-workspace.github.io: dashboard app.kubernetes.io/instance: chartsnap @@ -807,6 +828,8 @@ spec: - --timeout-seconds=5 - --tls-key=/app/cert/tls.key - --tls-cert=/app/cert/tls.crt + - --ca-cert=/app/cert/ca.crt + - --incluster-port=8080 command: - /app/dashboard image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" @@ -896,6 +919,7 @@ metadata: name: cosmo-dashboard-cert namespace: cosmo-system spec: + commonName: cosmo-dashboard.cosmo-system.svc.cluster.local dnsNames: - cosmo-dashboard.cosmo-system.svc - cosmo-dashboard.cosmo-system.svc.cluster.local @@ -1018,7 +1042,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1028,7 +1052,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -1040,7 +1064,7 @@ webhooks: namespace: cosmo-system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -1050,7 +1074,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -1162,6 +1186,28 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -1184,6 +1230,28 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/charts/cosmo/test/if-values.list b/charts/cosmo/test/if-values.list new file mode 100644 index 00000000..2c3cf0d1 --- /dev/null +++ b/charts/cosmo/test/if-values.list @@ -0,0 +1,32 @@ +certManager.enabled +certManager.issuer.clusterIssuer +certManager.issuer.create +controllerManager.dnsPolicy +controllerManager.healthz.enabled +controllerManager.hostNetwork +controllerManager.localRunTest.enabled +controllerManager.logging.level +controllerManager.metrics.enabled +controllerManager.metrics.kubeRbacProxy.enabled +controllerManager.podAnnotations +controllerManager.podLabels +controllerManager.serviceAccount.create +controllerManager.traefikIngressRouteTemplate.namespace +controllerManager.webhook.enabled +dashboard.auth.ldap.enabled +dashboard.auth.ldap.tls.secretName +dashboard.gracefulShutdownSeconds +dashboard.inclusterServer.port +dashboard.ingressRoute.enabled +dashboard.localRunTest.enabled +dashboard.logging.level +dashboard.podAnnotations +dashboard.podLabels +dashboard.responseTimeoutSeconds +dashboard.serviceAccount.create +dashboard.session.secretKeys.COOKIE_BLOCKKEY +dashboard.session.secretKeys.COOKIE_HASHKEY +dashboard.session.secretKeys.COOKIE_SESSION_NAME +dashboard.tls.enabled +fullnameOverride +installDefaultUserAddon diff --git a/cmd/controller-manager/main.go b/cmd/controller-manager/main.go index 9c36e85a..c2132c30 100644 --- a/cmd/controller-manager/main.go +++ b/cmd/controller-manager/main.go @@ -202,6 +202,12 @@ MIT 2023 cosmo-workspace/cosmo Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) + (&webhooks.TemplateValidationWebhookHandler{ + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("TemplateValidationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), + }).SetupWebhookWithManager(mgr) + ctx := ctrl.SetupSignalHandler() if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 39180ff9..0fc48b4a 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -2,7 +2,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - creationTimestamp: null name: mutating-webhook-configuration webhooks: - admissionReviewVersions: @@ -14,7 +13,7 @@ webhooks: namespace: system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: minstance.kb.io + name: mclusterinstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -24,7 +23,7 @@ webhooks: - CREATE - UPDATE resources: - - instances + - clusterinstances sideEffects: None - admissionReviewVersions: - v1 @@ -35,7 +34,7 @@ webhooks: namespace: system path: /mutate-cosmo-workspace-github-io-v1alpha1-instance failurePolicy: Fail - name: mclusterinstance.kb.io + name: minstance.kb.io rules: - apiGroups: - cosmo-workspace.github.io @@ -45,7 +44,7 @@ webhooks: - CREATE - UPDATE resources: - - clusterinstances + - instances sideEffects: None - admissionReviewVersions: - v1 @@ -93,7 +92,6 @@ webhooks: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - creationTimestamp: null name: validating-webhook-configuration webhooks: - admissionReviewVersions: @@ -117,6 +115,27 @@ webhooks: resources: - clusterinstances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vclustertemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clustertemplates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 @@ -138,6 +157,27 @@ webhooks: resources: - instances sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-cosmo-workspace-github-io-v1alpha1-template + failurePolicy: Fail + name: vtemplate.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - templates + sideEffects: None - admissionReviewVersions: - v1 - v1alpha1 diff --git a/internal/cmd/suite_test.go b/internal/cmd/suite_test.go index bda93e69..ed7e71c5 100644 --- a/internal/cmd/suite_test.go +++ b/internal/cmd/suite_test.go @@ -129,6 +129,12 @@ var _ = BeforeSuite(func() { Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) + (&webhooks.TemplateValidationWebhookHandler{ + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("TemplateValidationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), + }).SetupWebhookWithManager(mgr) + go func() { defer GinkgoRecover() err := mgr.Start(ctx) diff --git a/internal/dashboard/suite_test.go b/internal/dashboard/suite_test.go index ef6e385b..68197ce6 100644 --- a/internal/dashboard/suite_test.go +++ b/internal/dashboard/suite_test.go @@ -140,6 +140,12 @@ var _ = BeforeSuite(func() { Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) + (&webhooks.TemplateValidationWebhookHandler{ + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("TemplateValidationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), + }).SetupWebhookWithManager(mgr) + // Setup server By("bootstrapping server") clientMock = kubeutil.NewClientMock(mgr.GetClient()) diff --git a/internal/webhooks/suite_test.go b/internal/webhooks/suite_test.go index 4e1f774c..a3a2c079 100644 --- a/internal/webhooks/suite_test.go +++ b/internal/webhooks/suite_test.go @@ -128,6 +128,12 @@ var _ = BeforeSuite(func() { Decoder: admission.NewDecoder(mgr.GetScheme()), }).SetupWebhookWithManager(mgr) + (&TemplateValidationWebhookHandler{ + Client: mgr.GetClient(), + Log: clog.NewLogger(ctrl.Log.WithName("TemplateValidationWebhook")), + Decoder: admission.NewDecoder(mgr.GetScheme()), + }).SetupWebhookWithManager(mgr) + go func() { defer GinkgoRecover() err := mgr.Start(ctx) diff --git a/internal/webhooks/template_webhook.go b/internal/webhooks/template_webhook.go new file mode 100644 index 00000000..b0c0e83e --- /dev/null +++ b/internal/webhooks/template_webhook.go @@ -0,0 +1,85 @@ +package webhooks + +import ( + "context" + "fmt" + "net/http" + + apierrs "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" + + cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" + "github.com/cosmo-workspace/cosmo/pkg/clog" +) + +type TemplateValidationWebhookHandler struct { + Client client.Client + Log *clog.Logger + Decoder admission.Decoder +} + +//+kubebuilder:webhook:path=/validate-cosmo-workspace-github-io-v1alpha1-template,mutating=false,failurePolicy=fail,sideEffects=None,groups=cosmo-workspace.github.io,resources=templates,verbs=create;update,versions=v1alpha1,name=vtemplate.kb.io,admissionReviewVersions={v1,v1alpha1} +//+kubebuilder:webhook:path=/validate-cosmo-workspace-github-io-v1alpha1-template,mutating=false,failurePolicy=fail,sideEffects=None,groups=cosmo-workspace.github.io,resources=clustertemplates,verbs=create;update,versions=v1alpha1,name=vclustertemplate.kb.io,admissionReviewVersions={v1,v1alpha1} + +func (h *TemplateValidationWebhookHandler) SetupWebhookWithManager(mgr ctrl.Manager) { + mgr.GetWebhookServer().Register( + "/validate-cosmo-workspace-github-io-v1alpha1-template", + &webhook.Admission{Handler: h}, + ) +} + +// Handle validates the fields in Template +func (h *TemplateValidationWebhookHandler) Handle(ctx context.Context, req admission.Request) admission.Response { + log := h.Log.WithValues("UID", req.UID, "GroupVersionKind", req.Kind.String(), "Name", req.Name, "Namespace", req.Namespace) + + switch req.RequestKind.Kind { + case "Template": + tmpl := &cosmov1alpha1.Template{} + err := h.Decoder.Decode(req, tmpl) + if err != nil { + log.Error(err, "failed to decode request") + return admission.Errored(http.StatusBadRequest, err) + } + log.DebugAll().DumpObject(h.Client.Scheme(), tmpl, "request template") + + clusterTmpl := &cosmov1alpha1.ClusterTemplate{} + err = h.Client.Get(ctx, types.NamespacedName{Name: tmpl.Name}, clusterTmpl) + if err == nil { + return admission.Errored(http.StatusBadRequest, fmt.Errorf("ClusterTemplate: %s already exists", tmpl.Name)) + } else { + if !apierrs.IsNotFound(err) { + return admission.Errored(http.StatusInternalServerError, fmt.Errorf("failed to get ClusterTemplate: %w", err)) + } + } + + case "ClusterTemplate": + clusterTmpl := &cosmov1alpha1.ClusterTemplate{} + err := h.Decoder.Decode(req, clusterTmpl) + if err != nil { + log.Error(err, "failed to decode request") + return admission.Errored(http.StatusBadRequest, err) + } + log.DebugAll().DumpObject(h.Client.Scheme(), clusterTmpl, "request cluster template") + + tmpl := &cosmov1alpha1.Template{} + err = h.Client.Get(ctx, types.NamespacedName{Name: clusterTmpl.Name}, tmpl) + if err == nil { + return admission.Errored(http.StatusBadRequest, fmt.Errorf("Template: %s already exists", clusterTmpl.Name)) + } else { + if !apierrs.IsNotFound(err) { + return admission.Errored(http.StatusInternalServerError, fmt.Errorf("failed to get Template: %w", err)) + } + } + + default: + err := fmt.Errorf("invalid kind: %v", req.RequestKind) + log.Error(err, "failed to decode request") + return admission.Errored(http.StatusBadRequest, err) + } + + return admission.Allowed("Validation OK") +} diff --git a/internal/webhooks/template_webhook_test.go b/internal/webhooks/template_webhook_test.go new file mode 100644 index 00000000..d2b6c24b --- /dev/null +++ b/internal/webhooks/template_webhook_test.go @@ -0,0 +1,78 @@ +package webhooks + +import ( + "context" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + cosmov1alpha1 "github.com/cosmo-workspace/cosmo/api/v1alpha1" +) + +var _ = Describe("Template webhook", func() { + BeforeEach(func() { + k8sClient.DeleteAllOf(context.Background(), &cosmov1alpha1.Template{}) + k8sClient.DeleteAllOf(context.Background(), &cosmov1alpha1.ClusterTemplate{}) + }) + Context("when creating Template and the same name Template exist", func() { + It("should deny", func() { + ctx := context.Background() + tmpl1 := cosmov1alpha1.Template{ + ObjectMeta: metav1.ObjectMeta{ + Name: "tmpl1", + }, + } + err := k8sClient.Create(ctx, &tmpl1) + Expect(err).ShouldNot(HaveOccurred()) + + tmpl2 := cosmov1alpha1.Template{ + ObjectMeta: metav1.ObjectMeta{ + Name: "tmpl1", + }, + } + err = k8sClient.Create(ctx, &tmpl2) + Expect(err).Should(HaveOccurred()) + }) + }) + Context("when creating ClusterTemplate and the same name Template exist", func() { + It("should deny", func() { + ctx := context.Background() + tmpl1 := cosmov1alpha1.Template{ + ObjectMeta: metav1.ObjectMeta{ + Name: "tmpl1", + }, + } + err := k8sClient.Create(ctx, &tmpl1) + Expect(err).ShouldNot(HaveOccurred()) + + tmpl2 := cosmov1alpha1.ClusterTemplate{ + ObjectMeta: metav1.ObjectMeta{ + Name: "tmpl1", + }, + } + err = k8sClient.Create(ctx, &tmpl2) + Expect(err).Should(HaveOccurred()) + }) + }) + Context("when creating Template and the same name ClusterTemplate exist", func() { + It("should deny", func() { + ctx := context.Background() + tmpl1 := cosmov1alpha1.ClusterTemplate{ + ObjectMeta: metav1.ObjectMeta{ + Name: "tmpl1", + }, + } + err := k8sClient.Create(ctx, &tmpl1) + Expect(err).ShouldNot(HaveOccurred()) + + tmpl2 := cosmov1alpha1.Template{ + ObjectMeta: metav1.ObjectMeta{ + Name: "tmpl1", + }, + } + err = k8sClient.Create(ctx, &tmpl2) + Expect(err).Should(HaveOccurred()) + }) + }) +})