From 26567aefdc3df30feec25bc847a7e4289c77e0d5 Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Wed, 6 Dec 2023 12:32:43 +0100 Subject: [PATCH] Initial implementation --- .yamllint.yml | 1 + class/defaults.yml | 123 +++++++++++++++- class/lieutenant-keycloak-idp-controller.yml | 20 +++ ...lieutenant-keycloak-idp-controller.jsonnet | 82 +++++++++++ component/main.jsonnet | 8 +- tests/defaults.yml | 7 +- .../10_config_maps.yaml | 78 +++++++++++ .../10_secrets.yaml | 0 ...oak-idp-controller-controller-manager.yaml | 132 ++++++++++++++++++ ...-controller-controller-manager-alerts.yaml | 17 +++ ...er-controller-manager-metrics-monitor.yaml | 24 ++++ ...-keycloak-idp-controller-manager-role.yaml | 29 ++++ ...eycloak-idp-controller-metrics-reader.yaml | 16 +++ ...nt-keycloak-idp-controller-proxy-role.yaml | 24 ++++ ...ak-idp-controller-manager-rolebinding.yaml | 19 +++ ...loak-idp-controller-proxy-rolebinding.yaml | 19 +++ ...k-idp-controller-leader-election-role.yaml | 44 ++++++ ...ontroller-leader-election-rolebinding.yaml | 20 +++ ...ak-idp-controller-manager-rolebinding.yaml | 20 +++ ...yn-lieutenant-keycloak-idp-controller.yaml | 12 ++ ...controller-controller-manager-metrics.yaml | 21 +++ ...oak-idp-controller-controller-manager.yaml | 12 ++ 22 files changed, 725 insertions(+), 3 deletions(-) create mode 100644 component/lieutenant-keycloak-idp-controller.jsonnet create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_config_maps.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_secrets.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/apps_v1_deployment_lieutenant-keycloak-idp-controller-controller-manager.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_prometheusrule_lieutenant-keycloak-idp-controller-controller-manager-alerts.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_servicemonitor_lieutenant-keycloak-idp-controller-controller-manager-metrics-monitor.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-manager-role.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-metrics-reader.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-proxy-role.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-proxy-rolebinding.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_role_lieutenant-keycloak-idp-controller-leader-election-role.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-leader-election-rolebinding.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_namespace_projectsyn-lieutenant-keycloak-idp-controller.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_service_lieutenant-keycloak-idp-controller-controller-manager-metrics.yaml create mode 100644 tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_serviceaccount_lieutenant-keycloak-idp-controller-controller-manager.yaml diff --git a/.yamllint.yml b/.yamllint.yml index 92aea6c..2c299b8 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -22,3 +22,4 @@ ignore: | manifests/ vendor/ compiled/ + tests/golden/ diff --git a/class/defaults.yml b/class/defaults.yml index 027ac38..1737b2e 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -1,4 +1,125 @@ parameters: lieutenant_keycloak_idp_controller: =_metadata: {} - namespace: syn-lieutenant-keycloak-idp-controller + namespace: projectsyn-lieutenant-keycloak-idp-controller + namespaceMetadata: {} + + secrets: {} + config_maps: + lieutenant-keycloak-idp-controller-templates: + data: ${lieutenant_keycloak_idp_controller:templates} + + images: + lieutenant_keycloak_idp_controller: + registry: ghcr.io + image: projectsyn/lieutenant-keycloak-idp-controller + tag: v0.1.0-dev1 + kube_rbac_proxy: + registry: gcr.io + image: kubebuilder/kube-rbac-proxy + tag: v0.14.1 + + manifests_version: ${lieutenant_keycloak_idp_controller:images:lieutenant_keycloak_idp_controller:tag} + + kustomize_input: + namespace: ${lieutenant_keycloak_idp_controller:namespace} + + controller: + env: + KEYCLOAK_BASE_URL: + KEYCLOAK_USER: + KEYCLOAK_PASSWORD: + KEYCLOAK_REALM: + KEYCLOAK_LOGIN_REALM: admin + KEYCLOAK_LEGACY_WILDFLY_SUPPORT: 'true' + VAULT_ADDRESS: + + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + + - --keycloak-realm=$(KEYCLOAK_REALM) + - --keycloak-base-url=$(KEYCLOAK_BASE_URL) + - --keycloak-user=$(KEYCLOAK_USER) + - --keycloak-password=$(KEYCLOAK_PASSWORD) + - --keycloak-login-realm=$(KEYCLOAK_LOGIN_REALM) + - --keycloak-legacy-wildfly-support=$(KEYCLOAK_LEGACY_WILDFLY_SUPPORT) + + - --client-template-file=/templates/client.jsonnet + - --client-role-mapping-template-file=/templates/client-roles.jsonnet + + - --vault-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token + - --vault-address=$(VAULT_ADDRESS) + + templates: + vars.jsonnet: | + { + clientPrefix: 'cluster_', + formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name, + } + client.jsonnet: | + local context = std.extVar('context'); + local vars = import 'vars.jsonnet'; + + { + clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ], + name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ], + description: '', + rootUrl: vars.formatRootUrl(context), + adminUrl: '', + baseUrl: '', + surrogateAuthRequired: false, + enabled: true, + alwaysDisplayInConsole: false, + clientAuthenticatorType: 'client-secret', + redirectUris: [ + '/oauth2/callback', + ], + webOrigins: [], + notBefore: 0, + bearerOnly: false, + consentRequired: false, + standardFlowEnabled: true, + implicitFlowEnabled: false, + directAccessGrantsEnabled: true, + serviceAccountsEnabled: false, + publicClient: false, + frontchannelLogout: true, + protocol: 'openid-connect', + attributes: { + 'oidc.ciba.grant.enabled': 'false', + 'backchannel.logout.session.required': 'true', + 'oauth2.device.authorization.grant.enabled': 'false', + 'display.on.consent.screen': 'false', + 'backchannel.logout.revoke.offline.tokens': 'false', + }, + authenticationFlowBindingOverrides: {}, + fullScopeAllowed: true, + nodeReRegistrationTimeout: -1, + defaultClientScopes: [ + 'web-origins', + 'acr', + 'profile', + 'roles', + 'email', + ], + optionalClientScopes: [ + 'address', + 'phone', + 'offline_access', + 'microprofile-jwt', + ], + access: { + view: true, + configure: true, + manage: true, + }, + } + client-roles.jsonnet: | + local context = std.extVar('context'); + + [{ + // https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode + role: 'restricted-access', + }] diff --git a/class/lieutenant-keycloak-idp-controller.yml b/class/lieutenant-keycloak-idp-controller.yml index f014c28..81a3715 100644 --- a/class/lieutenant-keycloak-idp-controller.yml +++ b/class/lieutenant-keycloak-idp-controller.yml @@ -9,3 +9,23 @@ parameters: - ${_base_directory}/component/main.jsonnet input_type: jsonnet output_path: lieutenant-keycloak-idp-controller/ + + - input_paths: + - ${_base_directory}/component/lieutenant-keycloak-idp-controller.jsonnet + input_type: jsonnet + output_path: ${_base_directory}/lieutenant-keycloak-idp-controller + output_type: yaml + - input_type: external + output_path: . + input_paths: + - ${_kustomize_wrapper} + env_vars: + INPUT_DIR: ${_base_directory}/lieutenant-keycloak-idp-controller + args: + - \${compiled_target_dir}/lieutenant-keycloak-idp-controller + + # Cleanup + - input_paths: + - ${_base_directory}/lieutenant-keycloak-idp-controller + input_type: remove + output_path: . diff --git a/component/lieutenant-keycloak-idp-controller.jsonnet b/component/lieutenant-keycloak-idp-controller.jsonnet new file mode 100644 index 0000000..b1a71dc --- /dev/null +++ b/component/lieutenant-keycloak-idp-controller.jsonnet @@ -0,0 +1,82 @@ +// main template for openshift4-slos +local com = import 'lib/commodore.libjsonnet'; +local kap = import 'lib/kapitan.libjsonnet'; +local kube = import 'lib/kube.libjsonnet'; + +local slo = import 'slos.libsonnet'; + +local inv = kap.inventory(); +// The hiera parameters for the component +local params = inv.parameters.lieutenant_keycloak_idp_controller; + +local upstreamNamespace = 'lieutenant-keycloak-idp-controller-system'; + +local removeUpstreamNamespace = kube.Namespace(upstreamNamespace) { + metadata: { + name: upstreamNamespace, + } + com.makeMergeable(params.namespaceMetadata), +}; + +local controllerPatch = { + apiVersion: 'apps/v1', + kind: 'Deployment', + metadata: { + name: 'lieutenant-keycloak-idp-controller-controller-manager', + namespace: upstreamNamespace, + }, + spec: { + template: { + spec: { + containers: [ { + name: 'manager', + args: params.controller.args, + env: com.envList(params.controller.env), + volumeMounts: [ { + name: 'templates', + mountPath: '/templates', + } ], + } ], + volumes: [ { + name: 'templates', + configMap: { + name: 'lieutenant-keycloak-idp-controller-templates', + }, + } ], + }, + }, + }, +}; + +local patch = function(p) { + patch: std.manifestJsonMinified(p), +}; + +com.Kustomization( + 'https://github.com/projectsyn/lieutenant-keycloak-idp-controller//config/default', + params.manifests_version, + { + 'ghcr.io/projectsyn/lieutenant-keycloak-idp-controller': { + local image = params.images.lieutenant_keycloak_idp_controller, + newTag: image.tag, + newName: '%(registry)s/%(image)s' % image, + }, + 'gcr.io/kubebuilder/kube-rbac-proxy': { + local image = params.images.kube_rbac_proxy, + newTag: image.tag, + newName: '%(registry)s/%(image)s' % image, + }, + }, + params.kustomize_input { + patches+: [ + patch(removeUpstreamNamespace), + patch(controllerPatch), + ], + labels+: [ + { + pairs: { + 'app.kubernetes.io/managed-by': 'commodore', + }, + }, + ], + }, +) diff --git a/component/main.jsonnet b/component/main.jsonnet index b266f9c..04afd8e 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -1,10 +1,16 @@ -// main template for lieutenant-keycloak-idp-controller +// main template for lieutenant-keycloak-idp-controller\ +local com = import 'lib/commodore.libjsonnet'; local kap = import 'lib/kapitan.libjsonnet'; local kube = import 'lib/kube.libjsonnet'; local inv = kap.inventory(); // The hiera parameters for the component local params = inv.parameters.lieutenant_keycloak_idp_controller; +local secrets = com.generateResources(params.secrets, kube.Secret); +local configMaps = com.generateResources(params.config_maps, kube.ConfigMap); + // Define outputs below { + '10_secrets': secrets, + '10_config_maps': configMaps, } diff --git a/tests/defaults.yml b/tests/defaults.yml index a4da5b7..b466ba7 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -1,3 +1,8 @@ # Overwrite parameters here -# parameters: {...} +parameters: + secrets: + keycloak-user: + stringData: + username: user + password: password diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_config_maps.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_config_maps.yaml new file mode 100644 index 0000000..74d779d --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_config_maps.yaml @@ -0,0 +1,78 @@ +apiVersion: v1 +data: + client-roles.jsonnet: | + local context = std.extVar('context'); + + [{ + // https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode + role: 'restricted-access', + }] + client.jsonnet: | + local context = std.extVar('context'); + local vars = import 'vars.jsonnet'; + + { + clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ], + name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ], + description: '', + rootUrl: vars.formatRootUrl(context), + adminUrl: '', + baseUrl: '', + surrogateAuthRequired: false, + enabled: true, + alwaysDisplayInConsole: false, + clientAuthenticatorType: 'client-secret', + redirectUris: [ + '/oauth2/callback', + ], + webOrigins: [], + notBefore: 0, + bearerOnly: false, + consentRequired: false, + standardFlowEnabled: true, + implicitFlowEnabled: false, + directAccessGrantsEnabled: true, + serviceAccountsEnabled: false, + publicClient: false, + frontchannelLogout: true, + protocol: 'openid-connect', + attributes: { + 'oidc.ciba.grant.enabled': 'false', + 'backchannel.logout.session.required': 'true', + 'oauth2.device.authorization.grant.enabled': 'false', + 'display.on.consent.screen': 'false', + 'backchannel.logout.revoke.offline.tokens': 'false', + }, + authenticationFlowBindingOverrides: {}, + fullScopeAllowed: true, + nodeReRegistrationTimeout: -1, + defaultClientScopes: [ + 'web-origins', + 'acr', + 'profile', + 'roles', + 'email', + ], + optionalClientScopes: [ + 'address', + 'phone', + 'offline_access', + 'microprofile-jwt', + ], + access: { + view: true, + configure: true, + manage: true, + }, + } + vars.jsonnet: | + { + clientPrefix: 'cluster_', + formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name, + } +kind: ConfigMap +metadata: + annotations: {} + labels: + name: lieutenant-keycloak-idp-controller-templates + name: lieutenant-keycloak-idp-controller-templates diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_secrets.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_secrets.yaml new file mode 100644 index 0000000..e69de29 diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/apps_v1_deployment_lieutenant-keycloak-idp-controller-controller-manager.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/apps_v1_deployment_lieutenant-keycloak-idp-controller-controller-manager.yaml new file mode 100644 index 0000000..1a6acd9 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/apps_v1_deployment_lieutenant-keycloak-idp-controller-controller-manager.yaml @@ -0,0 +1,132 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: deployment + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + control-plane: controller-manager + name: lieutenant-keycloak-idp-controller-controller-manager + namespace: projectsyn-lieutenant-keycloak-idp-controller +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --keycloak-realm=$(KEYCLOAK_REALM) + - --keycloak-base-url=$(KEYCLOAK_BASE_URL) + - --keycloak-user=$(KEYCLOAK_USER) + - --keycloak-password=$(KEYCLOAK_PASSWORD) + - --keycloak-login-realm=$(KEYCLOAK_LOGIN_REALM) + - --keycloak-legacy-wildfly-support=$(KEYCLOAK_LEGACY_WILDFLY_SUPPORT) + - --client-template-file=/templates/client.jsonnet + - --client-role-mapping-template-file=/templates/client-roles.jsonnet + - --vault-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token + - --vault-address=$(VAULT_ADDRESS) + env: + - name: KEYCLOAK_BASE_URL + - name: KEYCLOAK_LEGACY_WILDFLY_SUPPORT + value: "true" + - name: KEYCLOAK_LOGIN_REALM + value: admin + - name: KEYCLOAK_PASSWORD + - name: KEYCLOAK_REALM + - name: KEYCLOAK_USER + - name: VAULT_ADDRESS + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/projectsyn/lieutenant-keycloak-idp-controller:v0.1.0-dev1 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /templates + name: templates + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: lieutenant-keycloak-idp-controller-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + name: lieutenant-keycloak-idp-controller-templates + name: templates diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_prometheusrule_lieutenant-keycloak-idp-controller-controller-manager-alerts.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_prometheusrule_lieutenant-keycloak-idp-controller-controller-manager-alerts.yaml new file mode 100644 index 0000000..9f6024c --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_prometheusrule_lieutenant-keycloak-idp-controller-controller-manager-alerts.yaml @@ -0,0 +1,17 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + app.kubernetes.io/component: alerts + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: controller-manager-alerts + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: prometheusrule + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + control-plane: controller-manager + name: lieutenant-keycloak-idp-controller-controller-manager-alerts + namespace: projectsyn-lieutenant-keycloak-idp-controller +spec: + groups: + - name: alerts + rules: [] diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_servicemonitor_lieutenant-keycloak-idp-controller-controller-manager-metrics-monitor.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_servicemonitor_lieutenant-keycloak-idp-controller-controller-manager-metrics-monitor.yaml new file mode 100644 index 0000000..c9ee091 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/monitoring.coreos.com_v1_servicemonitor_lieutenant-keycloak-idp-controller-controller-manager-metrics-monitor.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: controller-manager-metrics-monitor + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: servicemonitor + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + control-plane: controller-manager + name: lieutenant-keycloak-idp-controller-controller-manager-metrics-monitor + namespace: projectsyn-lieutenant-keycloak-idp-controller +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + path: /metrics + port: https + scheme: https + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-manager-role.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-manager-role.yaml new file mode 100644 index 0000000..bb3e0e7 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-manager-role.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: commodore + name: lieutenant-keycloak-idp-controller-manager-role +rules: +- apiGroups: + - syn.tools + resources: + - clusters + verbs: + - get + - list + - watch +- apiGroups: + - syn.tools + resources: + - clusters/finalizers + verbs: + - update +- apiGroups: + - syn.tools + resources: + - clusters/status + verbs: + - get + - patch + - update diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-metrics-reader.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-metrics-reader.yaml new file mode 100644 index 0000000..f9acee1 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-metrics-reader.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-proxy-role.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-proxy-role.yaml new file mode 100644 index 0000000..412e442 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrole_lieutenant-keycloak-idp-controller-proxy-role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml new file mode 100644 index 0000000..c190fa4 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: lieutenant-keycloak-idp-controller-manager-role +subjects: +- kind: ServiceAccount + name: lieutenant-keycloak-idp-controller-controller-manager + namespace: projectsyn-lieutenant-keycloak-idp-controller diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-proxy-rolebinding.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-proxy-rolebinding.yaml new file mode 100644 index 0000000..dd5b284 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_clusterrolebinding_lieutenant-keycloak-idp-controller-proxy-rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: lieutenant-keycloak-idp-controller-proxy-role +subjects: +- kind: ServiceAccount + name: lieutenant-keycloak-idp-controller-controller-manager + namespace: projectsyn-lieutenant-keycloak-idp-controller diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_role_lieutenant-keycloak-idp-controller-leader-election-role.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_role_lieutenant-keycloak-idp-controller-leader-election-role.yaml new file mode 100644 index 0000000..1cbab4a --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_role_lieutenant-keycloak-idp-controller-leader-election-role.yaml @@ -0,0 +1,44 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: role + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-leader-election-role + namespace: projectsyn-lieutenant-keycloak-idp-controller +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-leader-election-rolebinding.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-leader-election-rolebinding.yaml new file mode 100644 index 0000000..9c7bde2 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-leader-election-rolebinding.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: rolebinding + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-leader-election-rolebinding + namespace: projectsyn-lieutenant-keycloak-idp-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: lieutenant-keycloak-idp-controller-leader-election-role +subjects: +- kind: ServiceAccount + name: lieutenant-keycloak-idp-controller-controller-manager + namespace: projectsyn-lieutenant-keycloak-idp-controller diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml new file mode 100644 index 0000000..f4367cf --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/rbac.authorization.k8s.io_v1_rolebinding_lieutenant-keycloak-idp-controller-manager-rolebinding.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: rolebinding + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-manager-rolebinding + namespace: projectsyn-lieutenant-keycloak-idp-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: manager-role +subjects: +- kind: ServiceAccount + name: lieutenant-keycloak-idp-controller-controller-manager + namespace: projectsyn-lieutenant-keycloak-idp-controller diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_namespace_projectsyn-lieutenant-keycloak-idp-controller.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_namespace_projectsyn-lieutenant-keycloak-idp-controller.yaml new file mode 100644 index 0000000..221beb6 --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_namespace_projectsyn-lieutenant-keycloak-idp-controller.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: system + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: namespace + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + control-plane: controller-manager + name: projectsyn-lieutenant-keycloak-idp-controller diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_service_lieutenant-keycloak-idp-controller-controller-manager-metrics.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_service_lieutenant-keycloak-idp-controller-controller-manager-metrics.yaml new file mode 100644 index 0000000..d4249cd --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_service_lieutenant-keycloak-idp-controller-controller-manager-metrics.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: controller-manager-metrics + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: service + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + control-plane: controller-manager + name: lieutenant-keycloak-idp-controller-controller-manager-metrics + namespace: projectsyn-lieutenant-keycloak-idp-controller +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_serviceaccount_lieutenant-keycloak-idp-controller-controller-manager.yaml b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_serviceaccount_lieutenant-keycloak-idp-controller-controller-manager.yaml new file mode 100644 index 0000000..45d774e --- /dev/null +++ b/tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/v1_serviceaccount_lieutenant-keycloak-idp-controller-controller-manager.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: lieutenant-keycloak-idp-controller + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/part-of: lieutenant-keycloak-idp-controller + name: lieutenant-keycloak-idp-controller-controller-manager + namespace: projectsyn-lieutenant-keycloak-idp-controller