From c5a94acef2587b29cdd09435b5dc478145f9b84e Mon Sep 17 00:00:00 2001 From: Stephan Feurer Date: Thu, 18 Jan 2024 07:00:34 +0000 Subject: [PATCH 1/2] Update from template Template version: main (7803d07) --- .cruft.json | 6 +++--- .github/workflows/test.yaml | 14 ++++++++++++-- Makefile | 16 ++++++++++++++++ Makefile.vars.mk | 1 + renovate.json | 2 +- .../operator/cert-manager/apps/cert-manager.yaml | 0 tests/operator.yml | 3 +++ 7 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 tests/golden/operator/cert-manager/apps/cert-manager.yaml create mode 100644 tests/operator.yml diff --git a/.cruft.json b/.cruft.json index f00c63dd..461bfe20 100644 --- a/.cruft.json +++ b/.cruft.json @@ -1,17 +1,17 @@ { "template": "https://github.com/projectsyn/commodore-component-template.git", - "commit": "a4aff6a9d004c1aad085a875c7759c8f8f1e0d3d", + "commit": "7803d07f1d79fc8b902fcafbb336b6b0a4b57b90", "checkout": "main", "context": { "cookiecutter": { "name": "cert-manager", "slug": "cert-manager", "parameter_key": "cert_manager", - "test_cases": "defaults", + "test_cases": "defaults operator", "add_lib": "y", "add_pp": "y", "add_golden": "y", - "add_matrix": "n", + "add_matrix": "y", "add_go_unit": "n", "copyright_holder": "VSHN AG ", "copyright_year": "2021", diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index c0ff5291..44ae9f31 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -29,6 +29,11 @@ jobs: args: 'check' test: runs-on: ubuntu-latest + strategy: + matrix: + instance: + - defaults + - operator defaults: run: working-directory: ${{ env.COMPONENT_NAME }} @@ -37,9 +42,14 @@ jobs: with: path: ${{ env.COMPONENT_NAME }} - name: Compile component - run: make test + run: make test -e instance=${{ matrix.instance }} golden: runs-on: ubuntu-latest + strategy: + matrix: + instance: + - defaults + - operator defaults: run: working-directory: ${{ env.COMPONENT_NAME }} @@ -48,4 +58,4 @@ jobs: with: path: ${{ env.COMPONENT_NAME }} - name: Golden diff - run: make golden-diff + run: make golden-diff -e instance=${{ matrix.instance }} diff --git a/Makefile b/Makefile index 8b9ce198..0646f903 100644 --- a/Makefile +++ b/Makefile @@ -71,6 +71,22 @@ golden-diff: commodore_args += -f tests/$(instance).yml golden-diff: clean .compile ## Diff compile output against the reference version. Review output and run `make gen-golden golden-diff` if this target fails. @git diff --exit-code --minimal --no-index -- tests/golden/$(instance) compiled/ +.PHONY: golden-diff-all +golden-diff-all: recursive_target=golden-diff +golden-diff-all: $(test_instances) ## Run golden-diff for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1). + +.PHONY: gen-golden-all +gen-golden-all: recursive_target=gen-golden +gen-golden-all: $(test_instances) ## Run gen-golden for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1). + +.PHONY: lint_kubent_all +lint_kubent_all: recursive_target=lint_kubent +lint_kubent_all: $(test_instances) ## Lint deprecated Kubernetes API versions for all golden test instances. Will exit on first error. Note: this doesn't work when running make with multiple parallel jobs (-j != 1). + +.PHONY: $(test_instances) +$(test_instances): + $(MAKE) $(recursive_target) -e instance=$(basename $(@F)) + .PHONY: clean clean: ## Clean the project rm -rf .cache compiled dependencies vendor helmcharts jsonnetfile*.json || true diff --git a/Makefile.vars.mk b/Makefile.vars.mk index 74ce4b55..c9bd86f5 100644 --- a/Makefile.vars.mk +++ b/Makefile.vars.mk @@ -57,3 +57,4 @@ KUBENT_IMAGE ?= ghcr.io/doitintl/kube-no-trouble:latest KUBENT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE) instance ?= defaults +test_instances = tests/defaults.yml tests/operator.yml diff --git a/renovate.json b/renovate.json index 4b304e34..e174b12e 100644 --- a/renovate.json +++ b/renovate.json @@ -9,7 +9,7 @@ ], "postUpgradeTasks": { "commands": [ - "make gen-golden" + "make gen-golden-all" ], "fileFilters": [ "tests/golden/**" ], "executionMode": "update" diff --git a/tests/golden/operator/cert-manager/apps/cert-manager.yaml b/tests/golden/operator/cert-manager/apps/cert-manager.yaml new file mode 100644 index 00000000..e69de29b diff --git a/tests/operator.yml b/tests/operator.yml new file mode 100644 index 00000000..a4da5b7b --- /dev/null +++ b/tests/operator.yml @@ -0,0 +1,3 @@ +# Overwrite parameters here + +# parameters: {...} From fc78ae36fe4ab5988ff9c1dfba20147fa720821e Mon Sep 17 00:00:00 2001 From: Stephan Feurer Date: Thu, 18 Jan 2024 09:01:48 +0100 Subject: [PATCH 2/2] Support Openshifts cert-manager-operator --- class/cert-manager.yml | 100 ++++-- class/defaults.yml | 24 +- component/namespace.jsonnet | 21 +- component/operator.jsonnet | 46 +++ .../cert-manager/00_namespace.yaml | 1 - .../cert-manager/apps/cert-manager.yaml | 13 + .../cert-manager/00_namespace.yaml | 9 + .../01_operator/00_operator_group.yaml | 12 + .../01_operator/10_subscriptions.yaml | 25 ++ .../02_issuers/00_clusterissuer.yaml | 35 ++ .../cert-manager/02_issuers/20_acme_dns.yaml | 320 ++++++++++++++++++ tests/operator.yml | 33 +- 12 files changed, 588 insertions(+), 51 deletions(-) create mode 100644 component/operator.jsonnet create mode 100644 tests/golden/operator/cert-manager/cert-manager/00_namespace.yaml create mode 100644 tests/golden/operator/cert-manager/cert-manager/01_operator/00_operator_group.yaml create mode 100644 tests/golden/operator/cert-manager/cert-manager/01_operator/10_subscriptions.yaml create mode 100644 tests/golden/operator/cert-manager/cert-manager/02_issuers/00_clusterissuer.yaml create mode 100644 tests/golden/operator/cert-manager/cert-manager/02_issuers/20_acme_dns.yaml diff --git a/class/cert-manager.yml b/class/cert-manager.yml index 3af163af..951a6e5b 100644 --- a/class/cert-manager.yml +++ b/class/cert-manager.yml @@ -1,37 +1,67 @@ parameters: - kapitan: - dependencies: - - type: helm - source: https://charts.jetstack.io - chart_name: cert-manager - version: ${cert_manager:charts:cert-manager} - output_path: ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/ + =_kapitan: + olm: + compile: + # common + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/app.jsonnet + output_type: yaml + output_path: apps/ + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/namespace.jsonnet + output_type: yaml + output_path: cert-manager/ + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/main.jsonnet + output_type: yaml + output_path: cert-manager/02_issuers + # install-method specific + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/operator.jsonnet + output_type: yaml + output_path: cert-manager/01_operator + helm: + dependencies: + - type: helm + source: https://charts.jetstack.io + chart_name: cert-manager + version: ${cert_manager:charts:cert-manager} + output_path: ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/ + compile: + # common + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/app.jsonnet + output_type: yaml + output_path: apps/ + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/namespace.jsonnet + output_type: yaml + output_path: cert-manager/ + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/main.jsonnet + output_type: yaml + output_path: cert-manager/02_issuers + # install-method specific + - input_type: jsonnet + input_paths: + - ${_base_directory}/component/upgrade.jsonnet + output_type: yaml + output_path: cert-manager/03_upgrade + - input_type: helm + input_paths: + - ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/ + output_path: cert-manager/01_helmchart + helm_values: ${cert_manager:helm_values} + helm_params: + name: cert-manager + namespace: ${cert_manager:namespace} - compile: - - input_paths: - - ${_base_directory}/component/app.jsonnet - input_type: jsonnet - output_path: apps/ - - output_path: cert-manager/01_helmchart - input_type: helm - input_paths: - - ${_base_directory}/helmcharts/cert-manager/${cert_manager:charts:cert-manager}/ - helm_values: ${cert_manager:helm_values} - helm_params: - name: cert-manager - namespace: ${cert_manager:namespace} - - output_path: cert-manager/ - input_type: jsonnet - output_type: yaml - input_paths: - - ${_base_directory}/component/namespace.jsonnet - - output_path: cert-manager/02_issuers - input_type: jsonnet - output_type: yaml - input_paths: - - ${_base_directory}/component/main.jsonnet - - output_path: cert-manager/03_upgrade - input_type: jsonnet - output_type: yaml - input_paths: - - ${_base_directory}/component/upgrade.jsonnet + kapitan: + ${_kapitan:${cert_manager:install_method}} diff --git a/class/defaults.yml b/class/defaults.yml index 633cecdf..08589682 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -1,20 +1,33 @@ parameters: cert_manager: namespace: syn-cert-manager - dns01-recursive-nameservers: "1.1.1.1:53" + install_method: helm + charts: cert-manager: v1.13.2 + + images: + kubectl: + registry: quay.io + image: appuio/oc + tag: 'v4.13' + http_proxy: "" https_proxy: "" no_proxy: "" + + dns01-recursive-nameservers: "1.1.1.1:53" + letsencrypt_clusterissuers: staging: true production: true + solvers: nginx_http01: http01: ingress: class: 'nginx' + secrets: {} acme_dns_api: {} # acme_dns_api: @@ -22,11 +35,6 @@ parameters: # username: dns_api_registration_user # password: dns_api_registration_password # fqdns: [ "api.cluster.example.com", "apps.cluster.example.com" ] - images: - kubectl: - registry: quay.io - image: appuio/oc - tag: 'v4.13' helm_values: global: @@ -60,3 +68,7 @@ parameters: requests: cpu: 50m memory: 512Mi + + olm: + channel: stable-v1 + resources: {} diff --git a/component/namespace.jsonnet b/component/namespace.jsonnet index 8edfb8d6..fd2d49c9 100644 --- a/component/namespace.jsonnet +++ b/component/namespace.jsonnet @@ -5,18 +5,25 @@ local prom = import 'lib/prometheus.libsonnet'; local inv = kap.inventory(); local params = inv.parameters.cert_manager; -local namespace = kube.Namespace(params.namespace) { - metadata+: { - labels+: { - 'openshift.io/cluster-monitoring': 'true', - }, - }, -}; +local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift'); + +local namespace = kube.Namespace(params.namespace); { '00_namespace': if std.member(inv.applications, 'prometheus') then prom.RegisterNamespace(namespace) + else if isOpenshift then + namespace { + metadata+: { + annotations+: { + 'openshift.io/node-selector': 'infra', + }, + labels+: { + 'openshift.io/cluster-monitoring': 'true', + }, + }, + } else namespace, } diff --git a/component/operator.jsonnet b/component/operator.jsonnet new file mode 100644 index 00000000..dc2edde5 --- /dev/null +++ b/component/operator.jsonnet @@ -0,0 +1,46 @@ +local com = import 'lib/commodore.libjsonnet'; +local kap = import 'lib/kapitan.libjsonnet'; +local kube = import 'lib/kube.libjsonnet'; +local operatorlib = import 'lib/openshift4-operators.libsonnet'; + +local inv = kap.inventory(); +local params = inv.parameters.cert_manager; + +local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift'); +assert isOpenshift : 'olm install_method only available on Openshift'; + +local operator_group = operatorlib.OperatorGroup('syn-cert-manager') { + metadata+: { + labels+: { + 'app.kubernetes.io/managed-by': 'commodore', + }, + namespace: params.namespace, + }, + spec: { + targetNamespaces: [ + params.namespace, + ], + }, +}; + +local subscriptions = operatorlib.namespacedSubscription( + params.namespace, + 'openshift-cert-manager-operator', + params.olm.channel, + 'redhat-operators' +) { + labels+: { + 'app.kubernetes.io/managed-by': 'commodore', + }, + spec+: { + config+: { + resources: params.olm.resources, + }, + }, +}; + + +{ + '00_operator_group': operator_group, + '10_subscriptions': subscriptions, +} diff --git a/tests/golden/defaults/cert-manager/cert-manager/00_namespace.yaml b/tests/golden/defaults/cert-manager/cert-manager/00_namespace.yaml index 69122386..8c4a75aa 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/00_namespace.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/00_namespace.yaml @@ -5,5 +5,4 @@ metadata: labels: monitoring.syn.tools/infra-monitoring: 'true' name: syn-cert-manager - openshift.io/cluster-monitoring: 'true' name: syn-cert-manager diff --git a/tests/golden/operator/cert-manager/apps/cert-manager.yaml b/tests/golden/operator/cert-manager/apps/cert-manager.yaml index e69de29b..3ea89eeb 100644 --- a/tests/golden/operator/cert-manager/apps/cert-manager.yaml +++ b/tests/golden/operator/cert-manager/apps/cert-manager.yaml @@ -0,0 +1,13 @@ +spec: + ignoreDifferences: + - jsonPointers: + - /data + kind: Secret + name: acme-dns-client + namespace: syn-cert-manager + - group: admissionregistration.k8s.io + jqPathExpressions: + - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "control-plane") + - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "kubernetes.azure.com/managedby") + kind: ValidatingWebhookConfiguration + name: cert-manager-webhook diff --git a/tests/golden/operator/cert-manager/cert-manager/00_namespace.yaml b/tests/golden/operator/cert-manager/cert-manager/00_namespace.yaml new file mode 100644 index 00000000..298215f7 --- /dev/null +++ b/tests/golden/operator/cert-manager/cert-manager/00_namespace.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: infra + labels: + name: syn-cert-manager + openshift.io/cluster-monitoring: 'true' + name: syn-cert-manager diff --git a/tests/golden/operator/cert-manager/cert-manager/01_operator/00_operator_group.yaml b/tests/golden/operator/cert-manager/cert-manager/01_operator/00_operator_group.yaml new file mode 100644 index 00000000..57728a86 --- /dev/null +++ b/tests/golden/operator/cert-manager/cert-manager/01_operator/00_operator_group.yaml @@ -0,0 +1,12 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + annotations: {} + labels: + app.kubernetes.io/managed-by: commodore + name: syn-cert-manager + name: syn-cert-manager + namespace: syn-cert-manager +spec: + targetNamespaces: + - syn-cert-manager diff --git a/tests/golden/operator/cert-manager/cert-manager/01_operator/10_subscriptions.yaml b/tests/golden/operator/cert-manager/cert-manager/01_operator/10_subscriptions.yaml new file mode 100644 index 00000000..7f080faa --- /dev/null +++ b/tests/golden/operator/cert-manager/cert-manager/01_operator/10_subscriptions.yaml @@ -0,0 +1,25 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +labels: + app.kubernetes.io/managed-by: commodore +metadata: + annotations: {} + labels: + name: openshift-cert-manager-operator + name: openshift-cert-manager-operator + namespace: syn-cert-manager +spec: + channel: stable-v1 + config: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + resources: {} + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-operators-redhat diff --git a/tests/golden/operator/cert-manager/cert-manager/02_issuers/00_clusterissuer.yaml b/tests/golden/operator/cert-manager/cert-manager/02_issuers/00_clusterissuer.yaml new file mode 100644 index 00000000..8d2d7aaa --- /dev/null +++ b/tests/golden/operator/cert-manager/cert-manager/02_issuers/00_clusterissuer.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: {} + labels: + name: letsencrypt-staging + name: letsencrypt-staging +spec: + acme: + email: test@syn.tools + privateKeySecretRef: + name: letsencrypt-staging + server: https://acme-staging-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + class: nginx +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + annotations: {} + labels: + name: letsencrypt-production + name: letsencrypt-production +spec: + acme: + email: test@syn.tools + privateKeySecretRef: + name: letsencrypt-production + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + class: nginx diff --git a/tests/golden/operator/cert-manager/cert-manager/02_issuers/20_acme_dns.yaml b/tests/golden/operator/cert-manager/cert-manager/02_issuers/20_acme_dns.yaml new file mode 100644 index 00000000..1d19a0fa --- /dev/null +++ b/tests/golden/operator/cert-manager/cert-manager/02_issuers/20_acme_dns.yaml @@ -0,0 +1,320 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: acme-dns + name: acme-dns + namespace: syn-cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: {} + labels: + name: acme-dns-secret-editor + name: acme-dns-secret-editor + namespace: syn-cert-manager +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - patch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: acme-dns-secret-editor + name: acme-dns-secret-editor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: acme-dns-secret-editor +subjects: + - kind: ServiceAccount + name: acme-dns + namespace: syn-cert-manager +--- +apiVersion: v1 +data: + check.sh: | + #!/bin/sh + + set -e + + # Extract acme-dns client config from mounted secret file with `jq` and inject + # as variables into the script environment with `eval`. + username= + password= + subdomain= + acmedns_config=$(jq -r --argjson fqdns "${ACME_DNS_FQDNS}" ' + .[$fqdns[0]] + | "username=\(.username) password=\(.password) subdomain=\(.subdomain)" + ' "${CONFIG_PATH}/acmedns.json") + # This overrides the empty variables declared above + eval "${acmedns_config}" + + reregister= + if ! curl \ + -H"X-Api-User: ${username}" \ + -H"X-Api-Key: ${password}" \ + -d '{ + "subdomain": "'"${subdomain}"'", + "txt": "___self___verify___client___credentials____" + }' "${ACME_DNS_API}"/update; then + echo "Failed to update record... trying reregistration" + reregister="yes" + fi + + if [ -n "${reregister}" ]; then + "${SCRIPTS_PATH}/register.sh" force + fi + register.sh: | + #!/bin/sh + + set -e + + readonly force_register="${1}" + readonly client_creds_file="${CONFIG_PATH}/acmedns.json" + + readonly orig_secret="$(kubectl -n "${NAMESPACE}" \ + get secret "${CLIENT_SECRET_NAME}" -ojson)" + + reg_auth_args= + if [ -n "${REG_USERNAME}" ]; then + reg_auth_args="-u${REG_USERNAME}:${REG_PASSWORD}" + fi + + + if ! [ -f "${client_creds_file}" ] \ + || [ -n "${force_register}" ]; then + + reg=$(curl -XPOST "${reg_auth_args}" "${ACME_DNS_API}/register") + # Create acme-dns-client secret for provided domain names. + # Required format for acmedns.json in `stringData`: + # { + # "example.com": { registration output }, + # "example.org": { registration output } + # } + client_secret=$(jq -n \ + --argjson orig_secret "${orig_secret}" \ + --argjson reg "${reg}" \ + --argjson fqdns "${ACME_DNS_FQDNS}" \ + --arg client_secret_name "${CLIENT_SECRET_NAME}" \ + --arg namespace "${NAMESPACE}" \ + '($orig_secret + |del(.metadata.annotations."kubectl.kubernetes.io/last-applied-configuration") + ) + { + "stringData": { + "acmedns.json": (reduce $fqdns[] as $d ({}; . + { ($d): $reg })) | tojson + } + }') + + echo "${client_secret}" >"${HOME}/secret.json" + # Use kubectl apply as the empty secret is created by ArgoCD + kubectl apply -f "${HOME}/secret.json" + else + echo "Client credentials config '${client_creds_file}' already exists." + fi +kind: ConfigMap +metadata: + annotations: {} + labels: + name: register-acme-dns-client + name: register-acme-dns-client + namespace: syn-cert-manager +--- +apiVersion: v1 +data: {} +kind: Secret +metadata: + annotations: {} + labels: + name: acme-dns-register + name: acme-dns-register + namespace: syn-cert-manager +stringData: + REG_PASSWORD: t-silent-test-1234/c-green-test-1234/cert-manager/acme-dns-register-password + REG_USERNAME: acme-dns +type: Opaque +--- +apiVersion: v1 +data: {} +kind: Secret +metadata: + annotations: + cert-manager.syn.tools/managed-by: The contents of this secret are managed by + resources Job/create-acme-dns-client and CronJob/check-acme-dns-client + labels: + name: acme-dns-client + name: acme-dns-client + namespace: syn-cert-manager +type: Opaque +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + labels: + name: create-acme-dns-client + name: create-acme-dns-client + namespace: syn-cert-manager +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: create-acme-dns-client + spec: + containers: + - args: [] + command: + - /scripts/register.sh + env: + - name: ACME_DNS_API + value: acme-dns-api.example.com + - name: ACME_DNS_FQDNS + value: '["example.com", "apps.example.com"]' + - name: CLIENT_SECRET_NAME + value: acme-dns-client + - name: CONFIG_PATH + value: /etc/acme-dns + - name: HOME + value: /home/acme-dns + - name: HTTPS_PROXY + value: '' + - name: HTTP_PROXY + value: '' + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NO_PROXY + value: '' + - name: SCRIPTS_PATH + value: /scripts + envFrom: + - secretRef: + name: acme-dns-register + image: quay.io/appuio/oc:v4.13 + imagePullPolicy: IfNotPresent + name: register-client + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /etc/acme-dns + name: acmedns-client-secret + readOnly: true + - mountPath: /home/acme-dns + name: home + - mountPath: /scripts + name: scripts + workingDir: /home/acme-dns + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: acme-dns + terminationGracePeriodSeconds: 30 + volumes: + - name: acmedns-client-secret + secret: + secretName: acme-dns-client + - emptyDir: {} + name: home + - configMap: + defaultMode: 504 + name: register-acme-dns-client + name: scripts +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: {} + labels: + name: check-acme-dns-client + name: check-acme-dns-client + namespace: syn-cert-manager +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 20 + jobTemplate: + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + name: check-acme-dns-client + spec: + containers: + - args: [] + command: + - /scripts/check.sh + env: + - name: ACME_DNS_API + value: acme-dns-api.example.com + - name: ACME_DNS_FQDNS + value: '["example.com", "apps.example.com"]' + - name: CLIENT_SECRET_NAME + value: acme-dns-client + - name: CONFIG_PATH + value: /etc/acme-dns + - name: HOME + value: /home/acme-dns + - name: HTTPS_PROXY + value: '' + - name: HTTP_PROXY + value: '' + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NO_PROXY + value: '' + - name: SCRIPTS_PATH + value: /scripts + envFrom: + - secretRef: + name: acme-dns-register + image: quay.io/appuio/oc:v4.13 + imagePullPolicy: IfNotPresent + name: check-client + ports: [] + stdin: false + tty: false + volumeMounts: + - mountPath: /etc/acme-dns + name: acmedns-client-secret + readOnly: true + - mountPath: /home/acme-dns + name: home + - mountPath: /scripts + name: scripts + workingDir: /home/acme-dns + imagePullSecrets: [] + initContainers: [] + restartPolicy: OnFailure + serviceAccountName: acme-dns + terminationGracePeriodSeconds: 30 + volumes: + - name: acmedns-client-secret + secret: + secretName: acme-dns-client + - emptyDir: {} + name: home + - configMap: + defaultMode: 504 + name: register-acme-dns-client + name: scripts + schedule: 47 1 * * * + successfulJobsHistoryLimit: 10 diff --git a/tests/operator.yml b/tests/operator.yml index a4da5b7b..5a3166d3 100644 --- a/tests/operator.yml +++ b/tests/operator.yml @@ -1,3 +1,32 @@ -# Overwrite parameters here +applications: + - openshift4-operators as openshift-operators-redhat + - openshift4-monitoring -# parameters: {...} +parameters: + kapitan: + dependencies: + - type: https + source: https://raw.githubusercontent.com/appuio/component-openshift4-operators/master/lib/openshift4-operators.libsonnet + output_path: vendor/lib/openshift4-operators.libsonnet + - type: https + source: https://raw.githubusercontent.com/appuio/component-openshift4-monitoring/master/lib/openshift4-monitoring-alert-patching.libsonnet + output_path: vendor/lib/alert-patching.libsonnet + + facts: + distribution: openshift4 + + openshift4_operators: + defaultInstallPlanApproval: Automatic + defaultSource: openshift-operators-redhat + defaultSourceNamespace: openshift-operators-redhat + + cert_manager: + install_method: olm + letsencrypt_email: test@syn.tools + acme_dns_api: + endpoint: acme-dns-api.example.com + username: acme-dns + password: ?{vaultkv:${cluster:tenant}/${cluster:name}/cert-manager/acme-dns-register-password} + fqdns: + - example.com + - apps.example.com