diff --git a/.github/workflows/account-operator-crds.yaml b/.github/workflows/account-operator-crds.yaml deleted file mode 100644 index ad2ed1b38..000000000 --- a/.github/workflows/account-operator-crds.yaml +++ /dev/null @@ -1,34 +0,0 @@ -name: Build account-operator-crds Workflow -on: - push: - paths: - - 'charts/account-operator-crds/**' - - '.github/workflows/account-operator-crds.yaml' - - '.ocm/component-constructor-chart-only.yaml' - pull_request: - paths: - - 'charts/account-operator-crds/**' - - '.github/workflows/account-operator-crds.yaml' - -jobs: - pipeline: - concurrency: - group: account-operator-crds-${{ github.ref }} - cancel-in-progress: true - uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main - with: - chartFolder: charts - chartName: account-operator-crds - additionalTestFilesCommand: '' - chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts' - secrets: inherit - - ocm: - if: ${{ github.ref == 'refs/heads/main' }} - needs: [pipeline] - uses: openmfp/gha/.github/workflows/job-ocm.yml@switch-oci-repo - secrets: inherit - with: - chartPath: charts/account-operator-crds - componentName: github.com/openmfp/account-operator-crds - componentConstructorFile: .ocm/component-constructor-chart-only.yaml \ No newline at end of file diff --git a/.github/workflows/account-operator.yaml b/.github/workflows/account-operator.yaml deleted file mode 100644 index e0e556459..000000000 --- a/.github/workflows/account-operator.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Build account-operator Workflow -on: - push: - paths: - - 'charts/account-operator/**' - - '.github/workflows/account-operator.yaml' - - '.ocm/component-constructor.yaml' - pull_request: - paths: - - 'charts/account-operator/**' - - '.github/workflows/account-operator.yaml' - -jobs: - pipeline: - concurrency: - group: account-operator-${{ github.ref }} - cancel-in-progress: true - uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main - with: - chartFolder: charts - chartName: account-operator - additionalTestFilesCommand: '' - chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts' - secrets: inherit - - ocm: - if: ${{ github.ref == 'refs/heads/main' }} - needs: [pipeline] - uses: openmfp/gha/.github/workflows/job-ocm.yml@switch-oci-repo - secrets: inherit - with: - chartPath: charts/account-operator - componentName: github.com/openmfp/account-operator \ No newline at end of file diff --git a/charts/account-operator-crds/Chart.yaml b/charts/account-operator-crds/Chart.yaml deleted file mode 100644 index 65b54adc1..000000000 --- a/charts/account-operator-crds/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v2 -name: account-operator-crds -description: A Helm chart for Kubernetes - -type: application - -version: 0.2.2 - -appVersion: "0.0.0" diff --git a/charts/account-operator-crds/README.md b/charts/account-operator-crds/README.md deleted file mode 100644 index 01e99c83c..000000000 --- a/charts/account-operator-crds/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# account-operator-crds - -A Helm chart for Kubernetes - -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) -## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| kcp.identityHash | string | `""` | The identityHash of KCP's core tenant api export | - -## Overriding Values - -The values in the `defaults:` section can be reused from other charts by using the lookup function "common.getKeyValue". It implements lookup on three levels: - -1. Looks for `keyOverride` in the chart's values.yaml -2. Looks for `global.key` in the chart's or parent chart's values.yaml -3. Uses the `key` in the chart's values.yaml -4. Uses the `common.defaults.key` value from the table below. - -1 has precedence over 2 over 3 over 4 respectively. This approach allows for individual charts to have minimal configuration, while still being able to override parameters locally. - -Example -``` -1) .Values.deployment.resources.limits.memoryOverride = 4096MB -2) .Values.global.deployment.resources.limits.memory = 2048MB -3) .Values.deployment.resources.limits.memory = 1024MB -4) .Values.common.defaults.deployment.resources.limits.memory = default 512MB -``` diff --git a/charts/account-operator-crds/README.md.gotmpl b/charts/account-operator-crds/README.md.gotmpl deleted file mode 100644 index e69de29bb..000000000 diff --git a/charts/account-operator-crds/templates/apiexport-core.openmfp.org.yaml b/charts/account-operator-crds/templates/apiexport-core.openmfp.org.yaml deleted file mode 100644 index 9265e32e7..000000000 --- a/charts/account-operator-crds/templates/apiexport-core.openmfp.org.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apis.kcp.io/v1alpha1 -kind: APIExport -metadata: - creationTimestamp: null - name: core.openmfp.org -spec: - latestResourceSchemas: - - v250516-0b27c30.accountinfos.core.openmfp.org - - v250305-70de32b.accounts.core.openmfp.org - permissionClaims: - - all: true - resource: namespaces - - all: true - group: tenancy.kcp.io - identityHash: '{{ .Values.kcp.identityHash }}' - resource: workspaces - - all: true - group: tenancy.kcp.io - identityHash: '{{ .Values.kcp.identityHash }}' - resource: workspacetypes -status: {} diff --git a/charts/account-operator-crds/templates/apiexportendpointslice-core.openmfp.org.yaml b/charts/account-operator-crds/templates/apiexportendpointslice-core.openmfp.org.yaml deleted file mode 100644 index 022e97e85..000000000 --- a/charts/account-operator-crds/templates/apiexportendpointslice-core.openmfp.org.yaml +++ /dev/null @@ -1,8 +0,0 @@ -kind: APIExportEndpointSlice -apiVersion: apis.kcp.io/v1alpha1 -metadata: - name: core.openmfp.org -spec: - export: - path: root:openmfp-system - name: core.openmfp.org \ No newline at end of file diff --git a/charts/account-operator-crds/templates/apiresourceschema-accountinfos.core.openmfp.org.yaml b/charts/account-operator-crds/templates/apiresourceschema-accountinfos.core.openmfp.org.yaml deleted file mode 100644 index 2d72a2008..000000000 --- a/charts/account-operator-crds/templates/apiresourceschema-accountinfos.core.openmfp.org.yaml +++ /dev/null @@ -1,137 +0,0 @@ -apiVersion: apis.kcp.io/v1alpha1 -kind: APIResourceSchema -metadata: - creationTimestamp: null - name: v250516-0b27c30.accountinfos.core.openmfp.org -spec: - group: core.openmfp.org - names: - kind: AccountInfo - listKind: AccountInfoList - plural: accountinfos - singular: accountinfo - scope: Cluster - versions: - - name: v1alpha1 - schema: - description: AccountInfo is the Schema for the accountinfo API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountInfoSpec defines the desired state of Account - properties: - account: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - clusterInfo: - properties: - ca: - type: string - required: - - ca - type: object - fga: - properties: - store: - properties: - id: - type: string - required: - - id - type: object - required: - - store - type: object - organization: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - parentAccount: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - required: - - account - - clusterInfo - - fga - - organization - type: object - status: - description: AccountInfoStatus defines the observed state of AccountInfo - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/account-operator-crds/templates/apiresourceschema-accounts.core.openmfp.org.yaml b/charts/account-operator-crds/templates/apiresourceschema-accounts.core.openmfp.org.yaml deleted file mode 100644 index a1458970f..000000000 --- a/charts/account-operator-crds/templates/apiresourceschema-accounts.core.openmfp.org.yaml +++ /dev/null @@ -1,187 +0,0 @@ -apiVersion: apis.kcp.io/v1alpha1 -kind: APIResourceSchema -metadata: - creationTimestamp: null - name: v250305-70de32b.accounts.core.openmfp.org -spec: - group: core.openmfp.org - names: - kind: Account - listKind: AccountList - plural: accounts - singular: account - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.displayName - name: Display Name - type: string - - jsonPath: .spec.type - name: Type - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1alpha1 - schema: - description: Account is the Schema for the accounts API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountSpec defines the desired state of Account - properties: - creator: - description: The initial creator of this account - type: string - data: - description: Additional information that should be stored with the account - x-kubernetes-preserve-unknown-fields: true - description: - description: An optional description for this account - type: string - displayName: - description: The display name for this account - maxLength: 255 - type: string - extensions: - items: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadataGoTemplate: - x-kubernetes-preserve-unknown-fields: true - readyConditionType: - description: |- - The type of a condition that must be set to True on the Extension object - for the extension to be considered reconciled and ready. If this is empty, - the extension is considered ready. - type: string - specGoTemplate: - x-kubernetes-preserve-unknown-fields: true - required: - - specGoTemplate - type: object - type: array - type: - description: Type specifies the intended type for this Account object. - enum: - - org - - account - type: string - required: - - displayName - - type - type: object - status: - description: AccountStatus defines the observed state of Account - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for direct - use as an array at the field path .status.conditions. For example,\n\n\n\ttype - FooStatus struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t - \ // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - nextReconcileTime: - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/account-operator-crds/test-values.yaml b/charts/account-operator-crds/test-values.yaml deleted file mode 100644 index e69de29bb..000000000 diff --git a/charts/account-operator-crds/tests/__snapshot__/crd_test.yaml.snap b/charts/account-operator-crds/tests/__snapshot__/crd_test.yaml.snap deleted file mode 100644 index 0c03d8a50..000000000 --- a/charts/account-operator-crds/tests/__snapshot__/crd_test.yaml.snap +++ /dev/null @@ -1,732 +0,0 @@ -crds match the snapshot: - 1: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExport - metadata: - creationTimestamp: null - name: core.openmfp.org - spec: - latestResourceSchemas: - - v250516-0b27c30.accountinfos.core.openmfp.org - - v250305-70de32b.accounts.core.openmfp.org - permissionClaims: - - all: true - resource: namespaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspacetypes - status: {} - 2: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExportEndpointSlice - metadata: - name: core.openmfp.org - spec: - export: - name: core.openmfp.org - path: root:openmfp-system - 3: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250516-0b27c30.accountinfos.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: AccountInfo - listKind: AccountInfoList - plural: accountinfos - singular: accountinfo - scope: Cluster - versions: - - name: v1alpha1 - schema: - description: AccountInfo is the Schema for the accountinfo API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountInfoSpec defines the desired state of Account - properties: - account: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - clusterInfo: - properties: - ca: - type: string - required: - - ca - type: object - fga: - properties: - store: - properties: - id: - type: string - required: - - id - type: object - required: - - store - type: object - organization: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - parentAccount: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - required: - - account - - clusterInfo - - fga - - organization - type: object - status: - description: AccountInfoStatus defines the observed state of AccountInfo - type: object - type: object - served: true - storage: true - subresources: - status: {} - 4: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250305-70de32b.accounts.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: Account - listKind: AccountList - plural: accounts - singular: account - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.displayName - name: Display Name - type: string - - jsonPath: .spec.type - name: Type - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1alpha1 - schema: - description: Account is the Schema for the accounts API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountSpec defines the desired state of Account - properties: - creator: - description: The initial creator of this account - type: string - data: - description: Additional information that should be stored with the account - x-kubernetes-preserve-unknown-fields: true - description: - description: An optional description for this account - type: string - displayName: - description: The display name for this account - maxLength: 255 - type: string - extensions: - items: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadataGoTemplate: - x-kubernetes-preserve-unknown-fields: true - readyConditionType: - description: |- - The type of a condition that must be set to True on the Extension object - for the extension to be considered reconciled and ready. If this is empty, - the extension is considered ready. - type: string - specGoTemplate: - x-kubernetes-preserve-unknown-fields: true - required: - - specGoTemplate - type: object - type: array - type: - description: Type specifies the intended type for this Account object. - enum: - - org - - account - type: string - required: - - displayName - - type - type: object - status: - description: AccountStatus defines the observed state of Account - properties: - conditions: - items: - description: |- - Condition contains details for one aspect of the current state of this API Resource. - --- - This struct is intended for direct use as an array at the field path .status.conditions. For example, - - - type FooStatus struct{ - // Represents the observations of a foo's current state. - // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" - // +patchMergeKey=type - // +patchStrategy=merge - // +listType=map - // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - - - // other fields - } - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - nextReconcileTime: - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -crds with kcp enabled match the snapshot: - 1: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExport - metadata: - creationTimestamp: null - name: core.openmfp.org - spec: - latestResourceSchemas: - - v250516-0b27c30.accountinfos.core.openmfp.org - - v250305-70de32b.accounts.core.openmfp.org - permissionClaims: - - all: true - resource: namespaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspacetypes - status: {} - 2: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExportEndpointSlice - metadata: - name: core.openmfp.org - spec: - export: - name: core.openmfp.org - path: root:openmfp-system - 3: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250516-0b27c30.accountinfos.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: AccountInfo - listKind: AccountInfoList - plural: accountinfos - singular: accountinfo - scope: Cluster - versions: - - name: v1alpha1 - schema: - description: AccountInfo is the Schema for the accountinfo API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountInfoSpec defines the desired state of Account - properties: - account: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - clusterInfo: - properties: - ca: - type: string - required: - - ca - type: object - fga: - properties: - store: - properties: - id: - type: string - required: - - id - type: object - required: - - store - type: object - organization: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - parentAccount: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - required: - - account - - clusterInfo - - fga - - organization - type: object - status: - description: AccountInfoStatus defines the observed state of AccountInfo - type: object - type: object - served: true - storage: true - subresources: - status: {} - 4: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250305-70de32b.accounts.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: Account - listKind: AccountList - plural: accounts - singular: account - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.displayName - name: Display Name - type: string - - jsonPath: .spec.type - name: Type - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1alpha1 - schema: - description: Account is the Schema for the accounts API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountSpec defines the desired state of Account - properties: - creator: - description: The initial creator of this account - type: string - data: - description: Additional information that should be stored with the account - x-kubernetes-preserve-unknown-fields: true - description: - description: An optional description for this account - type: string - displayName: - description: The display name for this account - maxLength: 255 - type: string - extensions: - items: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadataGoTemplate: - x-kubernetes-preserve-unknown-fields: true - readyConditionType: - description: |- - The type of a condition that must be set to True on the Extension object - for the extension to be considered reconciled and ready. If this is empty, - the extension is considered ready. - type: string - specGoTemplate: - x-kubernetes-preserve-unknown-fields: true - required: - - specGoTemplate - type: object - type: array - type: - description: Type specifies the intended type for this Account object. - enum: - - org - - account - type: string - required: - - displayName - - type - type: object - status: - description: AccountStatus defines the observed state of Account - properties: - conditions: - items: - description: |- - Condition contains details for one aspect of the current state of this API Resource. - --- - This struct is intended for direct use as an array at the field path .status.conditions. For example, - - - type FooStatus struct{ - // Represents the observations of a foo's current state. - // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" - // +patchMergeKey=type - // +patchStrategy=merge - // +listType=map - // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - - - // other fields - } - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - nextReconcileTime: - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/account-operator-crds/tests/crd_test.yaml b/charts/account-operator-crds/tests/crd_test.yaml deleted file mode 100644 index 1a348cbcc..000000000 --- a/charts/account-operator-crds/tests/crd_test.yaml +++ /dev/null @@ -1,15 +0,0 @@ -suite: crds -values: - - ../test-values.yaml -chart: - version: 0.1.1 - appVersion: 1.16.0 -tests: - - it: crds match the snapshot - asserts: - - matchSnapshot: {} - - it: crds with kcp enabled match the snapshot - set: - kcp.enabled: true - asserts: - - matchSnapshot: {} \ No newline at end of file diff --git a/charts/account-operator-crds/values.yaml b/charts/account-operator-crds/values.yaml deleted file mode 100644 index cfb0a84d5..000000000 --- a/charts/account-operator-crds/values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -kcp: - # -- The identityHash of KCP's core tenant api export - identityHash: "" diff --git a/charts/account-operator/.helmignore b/charts/account-operator/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/charts/account-operator/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/account-operator/Chart.lock b/charts/account-operator/Chart.lock deleted file mode 100644 index 3f8bbf3f8..000000000 --- a/charts/account-operator/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: account-operator-crds - repository: oci://ghcr.io/openmfp/helm-charts - version: 0.2.2 -- name: common - repository: oci://ghcr.io/openmfp/helm-charts - version: 0.5.2 -digest: sha256:6d8fe493548bf4f71106b76fc7e38c33e25a3201a8744a01c8c1d10cb22f6d42 -generated: "2025-06-14T17:50:36.363619434Z" diff --git a/charts/account-operator/Chart.yaml b/charts/account-operator/Chart.yaml deleted file mode 100644 index edfadd1db..000000000 --- a/charts/account-operator/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v2 -name: account-operator -description: A Helm chart to deploy OpenMFP Account-Operator -type: application -version: 0.8.17 -appVersion: "v0.170.15" -dependencies: - - name: account-operator-crds - version: 0.2.2 - condition: crds.enabled - repository: oci://ghcr.io/openmfp/helm-charts - - name: common - version: 0.5.2 - repository: oci://ghcr.io/openmfp/helm-charts diff --git a/charts/account-operator/README.md b/charts/account-operator/README.md deleted file mode 100644 index 9de526f3c..000000000 --- a/charts/account-operator/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# account-operator - -A Helm chart to deploy OpenMFP Account-Operator - -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) - -## Requirements - -| Repository | Name | Description | Sources | -|------------|------|-------------|---------| -| `oci://ghcr.io/openmfp/helm-charts` | `common` | The `common` chart is a library of common resources that are shared across all other charts in the repository. It has no templates, but provides helm template functions and [default values](https://github.com/openmfp/helm-charts/blob/main/charts/common/values.yaml) that can be used by other charts. |[source](https://github.com/openmfp/helm-charts/tree/main/charts/common)| -| `oci://ghcr.io/openmfp/helm-charts` | `account-operator-crds` | The `account-operator-crds` chart provides CRDS introduced by the `account-operator`. |[source](https://github.com/openmfp/helm-charts/tree/main/charts/account-operator-crds)| -## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| crds.enabled | bool | `true` | Enable CRDs | -| deployment.hostAliases | list | `[]` | | -| deployment.specTemplate.annotations | object | `{}` | The annotations for the deployment | -| deployment.specTemplate.labels | object | `{}` | The labels for the deployment | -| image.name | string | `"ghcr.io/openmfp/account-operator"` | The image repository | -| kcp | object | `{"apiExportEndpointSliceName":"core.openmfp.org","enabled":false,"virtualWorkspaceUrl":""}` | The KCP configuration | -| kcp.apiExportEndpointSliceName | string | `"core.openmfp.org"` | KCP APIExportEndpointSliceName | -| kcp.enabled | bool | `false` | Enable KCP | -| kcp.virtualWorkspaceUrl | string | `""` | The URL for the virtual workspace | -| kubeconfigSecret | string | `""` | The secret for kubeconfig | -| security.mountServiceAccountToken | bool | `true` | Mount the service account token | -| subroutines.extension.enabled | bool | `true` | Enable extension subroutines | -| subroutines.extensionReady.enabled | bool | `true` | Enable extension ready subroutines | -| subroutines.fga.creatorRelation | string | `"owner"` | The creator relation for FGA | -| subroutines.fga.enabled | bool | `true` | Enable FGA subroutines | -| subroutines.fga.grpcAddr | string | `"openmfp-openfga:8081"` | The gRPC address for FGA | -| subroutines.fga.objectType | string | `"account"` | The object type for FGA | -| subroutines.fga.parentRelation | string | `"parent"` | The parent relation for FGA | -| subroutines.fga.rootNamespace | string | `"openmfp-root"` | The root namespace for FGA | -| subroutines.namespace.enabled | bool | `true` | Enable namespace subroutines | -| webhooks.certDir | string | `"/certs"` | The directory for webhook certificates | -| webhooks.enabled | bool | `true` | Enable webhooks | -| webhooks.register | bool | `false` | Register webhooks, flag to toggle if webhooks should be registered on the runtime cluster | - -## Overriding Values - -The values in the `defaults:` section can be reused from other charts by using the lookup function "common.getKeyValue". It implements lookup on three levels: - -1. Looks for `keyOverride` in the chart's values.yaml -2. Looks for `global.key` in the chart's or parent chart's values.yaml -3. Uses the `key` in the chart's values.yaml -4. Uses the `common.defaults.key` value from the table below. - -1 has precedence over 2 over 3 over 4 respectively. This approach allows for individual charts to have minimal configuration, while still being able to override parameters locally. - -Example -``` -1) .Values.deployment.resources.limits.memoryOverride = 4096MB -2) .Values.global.deployment.resources.limits.memory = 2048MB -3) .Values.deployment.resources.limits.memory = 1024MB -4) .Values.common.defaults.deployment.resources.limits.memory = default 512MB -``` diff --git a/charts/account-operator/README.md.gotmpl b/charts/account-operator/README.md.gotmpl deleted file mode 100644 index 771b3fe97..000000000 --- a/charts/account-operator/README.md.gotmpl +++ /dev/null @@ -1,7 +0,0 @@ - -## Requirements - -| Repository | Name | Description | Sources | -|------------|------|-------------|---------| -| `oci://ghcr.io/openmfp/helm-charts` | `common` | The `common` chart is a library of common resources that are shared across all other charts in the repository. It has no templates, but provides helm template functions and [default values](https://github.com/openmfp/helm-charts/blob/main/charts/common/values.yaml) that can be used by other charts. |[source](https://github.com/openmfp/helm-charts/tree/main/charts/common)| -| `oci://ghcr.io/openmfp/helm-charts` | `account-operator-crds` | The `account-operator-crds` chart provides CRDS introduced by the `account-operator`. |[source](https://github.com/openmfp/helm-charts/tree/main/charts/account-operator-crds)| diff --git a/charts/account-operator/charts/account-operator-crds-0.2.2.tgz b/charts/account-operator/charts/account-operator-crds-0.2.2.tgz deleted file mode 100644 index 8424c4971..000000000 Binary files a/charts/account-operator/charts/account-operator-crds-0.2.2.tgz and /dev/null differ diff --git a/charts/account-operator/charts/common-0.5.2.tgz b/charts/account-operator/charts/common-0.5.2.tgz deleted file mode 100644 index 5ffcdbacb..000000000 Binary files a/charts/account-operator/charts/common-0.5.2.tgz and /dev/null differ diff --git a/charts/account-operator/templates/cluster-role.yaml b/charts/account-operator/templates/cluster-role.yaml deleted file mode 100644 index d596a6b74..000000000 --- a/charts/account-operator/templates/cluster-role.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "common.entity.name" . }} -rules: -- apiGroups: - - core.openmfp.io - resources: - - accounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - core.openmfp.io - resources: - - accounts - - accounts/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces - - events - verbs: - - get - - list - - watch - - create - - update - - patch - - delete diff --git a/charts/account-operator/templates/cluster-rolebinding.yaml b/charts/account-operator/templates/cluster-rolebinding.yaml deleted file mode 100644 index 45876e6f2..000000000 --- a/charts/account-operator/templates/cluster-rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "common.entity.name" . }} -subjects: -- kind: ServiceAccount - name: {{ include "common.entity.name" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "common.entity.name" . }} - apiGroup: rbac.authorization.k8s.io diff --git a/charts/account-operator/templates/deployment.yaml b/charts/account-operator/templates/deployment.yaml deleted file mode 100644 index ceefb941b..000000000 --- a/charts/account-operator/templates/deployment.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.entity.name" . }} - {{- if .Values.webhooks.enabled }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "common.entity.name" . }}-serving-cert - {{- end }} -spec: - revisionHistoryLimit: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.revisionHistoryLimit") }} - selector: - matchLabels: - {{- include "common.labelMatcher" . | indent 6 }} - template: - metadata: - labels: - {{- include "common.labelMatcher" . | indent 8 }} - {{- with .Values.deployment.specTemplate.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - control-plane: controller-manager - annotations: - {{- with .Values.deployment.specTemplate.annotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.webhooks.enabled }} - traffic.sidecar.istio.io/excludeInboundPorts: "9443" - {{- end }} - spec: - {{- include "common.pod.securityContext" . | indent 6 }} - terminationGracePeriodSeconds: {{ include "common.terminationGracePeriodSeconds" .}} - containers: - - {{- include "common.podBasics" . | indent 8 }} - {{- include "common.container.securityContext" . | indent 8 }} - {{- include "common.operatorHealthAndReadyness" . | indent 8}} - ports: - {{- include "common.PortsMetricsHealth" . | nindent 10 }} - {{- if .Values.webhooks.enabled }} - - name: webhook-port - containerPort: 9443 - protocol: TCP - {{- end }} - args: - - operator - {{- include "common.commonOperatorArgs" . | indent 8 }} - {{- if .Values.webhooks.enabled }} - - --webhooks-enabled - - --webhooks-cert-dir={{ .Values.webhooks.certDir }} - {{- end }} - env: - {{- include "common.basicEnvironment" . | nindent 10 }} - - name: SUBROUTINES_NAMESPACE_ENABLED - value: "{{ .Values.subroutines.namespace.enabled }}" - - name: SUBROUTINES_FGA_ENABLED - value: "{{ .Values.subroutines.fga.enabled }}" - - name: SUBROUTINES_FGA_GRPC_ADDR - value: "{{ .Values.subroutines.fga.grpcAddr }}" - - name: SUBROUTINES_FGA_ROOT_NAMESPACE - value: "{{ .Values.subroutines.fga.rootNamespace }}" - - name: SUBROUTINES_FGA_OBJECT_TYPE - value: "{{ .Values.subroutines.fga.objectType }}" - - name: SUBROUTINES_FGA_PARENT_RELATION - value: "{{ .Values.subroutines.fga.parentRelation }}" - - name: SUBROUTINES_FGA_CREATOR_RELATION - value: "{{ .Values.subroutines.fga.creatorRelation }}" - - name: SUBROUTINES_EXTENSION_ENABLED - value: "{{ .Values.subroutines.extension.enabled }}" - - name: SUBROUTINES_EXTENSION_READY_ENABLED - value: "{{ .Values.subroutines.extensionReady.enabled }}" - - name: KCP_ENABLED - value: "{{ .Values.kcp.enabled }}" - - name: KCP_VIRTUAL_WORKSPACE_URL - value: "{{ .Values.kcp.virtualWorkspaceUrl }}" - - name: KCP_API_EXPORT_ENDPOINT_SLICE_NAME - value: "{{ .Values.kcp.apiExportEndpointSliceName }}" - {{- if .Values.kubeconfigSecret }} - - name: KUBECONFIG - value: /api-kubeconfig/kubeconfig - {{- end }} - volumeMounts: - {{- include "common.extraVolumeMounts" . | nindent 8 }} - {{- if .Values.kubeconfigSecret }} - - name: external-api-server - mountPath: /api-kubeconfig - {{- end }} - {{- if .Values.webhooks.enabled }} - - mountPath: {{ .Values.webhooks.certDir }} - name: cert - readOnly: true - {{- end }} - {{- if .Values.deployment.hostAliases }} - hostAliases: - {{- range .Values.deployment.hostAliases }} - - ip: {{ .ip }} - hostnames: - {{- range .hostnames }} - - {{ . }} - {{- end }} - {{- end }} - {{- else }} - {{- end }} - volumes: - {{- include "common.extraVolumes" . | nindent 8 }} - {{- if .Values.kubeconfigSecret }} - - name: external-api-server - secret: - secretName: {{ .Values.kubeconfigSecret }} - {{- end }} - {{- if .Values.webhooks.enabled }} - - name: cert - secret: - defaultMode: 420 - secretName: {{ include "common.entity.name" . }}-webhook-server-cert - {{- end }} diff --git a/charts/account-operator/templates/service-account.yaml b/charts/account-operator/templates/service-account.yaml deleted file mode 100644 index 490c917a9..000000000 --- a/charts/account-operator/templates/service-account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "common.entity.name" . }} -{{- include "common.imagePullSecret" . }} diff --git a/charts/account-operator/templates/webhook/mutation-webhook.yaml b/charts/account-operator/templates/webhook/mutation-webhook.yaml deleted file mode 100644 index f50c219a7..000000000 --- a/charts/account-operator/templates/webhook/mutation-webhook.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if and .Values.webhooks.enabled .Values.webhooks.register -}} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: {{ include "common.entity.name" . }}-mutating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "common.entity.name" . }}-serving-cert -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - url: {{ include "common.entity.name" . }}-webhook.{{ .Release.Namespace }}.svc:9443/mutate-core-openmfp-io-v1alpha1-account - failurePolicy: Fail - name: maccount.kb.io - rules: - - apiGroups: - - core.openmfp.io - apiVersions: - - v1alpha1 - operations: - - CREATE - resources: - - accounts - sideEffects: None -{{- end -}} \ No newline at end of file diff --git a/charts/account-operator/templates/webhook/pki.yaml b/charts/account-operator/templates/webhook/pki.yaml deleted file mode 100644 index 9e4d73ff3..000000000 --- a/charts/account-operator/templates/webhook/pki.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.webhooks.enabled -}} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "common.entity.name" . }}-selfsigned-issuer -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "common.entity.name" . }}-serving-cert -spec: - dnsNames: - - {{ include "common.entity.name" . }}-webhook.{{ .Release.Namespace }}.svc - - {{ include "common.entity.name" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local - issuerRef: - kind: Issuer - name: {{ include "common.entity.name" . }}-selfsigned-issuer - secretName: {{ include "common.entity.name" . }}-webhook-server-cert -{{- end -}} diff --git a/charts/account-operator/templates/webhook/service.yaml b/charts/account-operator/templates/webhook/service.yaml deleted file mode 100644 index 24ade187d..000000000 --- a/charts/account-operator/templates/webhook/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.webhooks.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.entity.name" . }}-webhook -spec: - ports: - - port: 9443 - protocol: TCP - targetPort: 9443 - selector: - {{- include "common.labelMatcher" . | indent 6 }} -{{- end -}} diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap deleted file mode 100644 index 3ea460498..000000000 --- a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap +++ /dev/null @@ -1,1912 +0,0 @@ -deployment with tracing: - 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert - name: account-operator - spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app: account-operator - template: - metadata: - annotations: - traffic.sidecar.istio.io/excludeInboundPorts: "9443" - labels: - app: account-operator - control-plane: controller-manager - spec: - automountServiceAccountToken: true - containers: - - args: - - operator - - --leader-elect - - --metrics-bind-address=:9090 - - --health-probe-bind-address=:8090 - - --log-level=warn - - --region=local - - --environment=local - - --image-tag=0.0.0 - - --image-name="ghcr.io/openmfp/account-operator" - - --shutdown-timeout=1m - - --max-concurrent-reconciles=10 - - --tracing-enabled=true - - --tracing-config-service-name=account-operator.NAMESPACE - - --tracing-config-service-version=0.0.0 - - --tracing-config-collector-endpoint=test:4317 - - --webhooks-enabled - - --webhooks-cert-dir=/certs - env: - - name: SUBROUTINES_NAMESPACE_ENABLED - value: "true" - - name: SUBROUTINES_FGA_ENABLED - value: "true" - - name: SUBROUTINES_FGA_GRPC_ADDR - value: openmfp-openfga:8081 - - name: SUBROUTINES_FGA_ROOT_NAMESPACE - value: openmfp-root - - name: SUBROUTINES_FGA_OBJECT_TYPE - value: account - - name: SUBROUTINES_FGA_PARENT_RELATION - value: parent - - name: SUBROUTINES_FGA_CREATOR_RELATION - value: owner - - name: SUBROUTINES_EXTENSION_ENABLED - value: "true" - - name: SUBROUTINES_EXTENSION_READY_ENABLED - value: "true" - - name: KCP_ENABLED - value: "false" - - name: KCP_VIRTUAL_WORKSPACE_URL - value: "" - - name: KCP_API_EXPORT_ENDPOINT_SLICE_NAME - value: core.openmfp.org - image: ghcr.io/openmfp/account-operator:0.0.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 1 - httpGet: - path: /healthz - port: 8090 - periodSeconds: 10 - name: account-operator - ports: - - containerPort: 9090 - name: metrics - protocol: TCP - - containerPort: 8090 - name: health-port - protocol: TCP - - containerPort: 9443 - name: webhook-port - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8090 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - memory: 512Mi - requests: - cpu: 40m - memory: 50Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /readyz - port: 8090 - periodSeconds: 10 - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: account-operator - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: account-operator-webhook-server-cert -operator match the snapshot: - 1: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExport - metadata: - creationTimestamp: null - name: core.openmfp.org - spec: - latestResourceSchemas: - - v250516-0b27c30.accountinfos.core.openmfp.org - - v250305-70de32b.accounts.core.openmfp.org - permissionClaims: - - all: true - resource: namespaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspacetypes - status: {} - 2: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExportEndpointSlice - metadata: - name: core.openmfp.org - spec: - export: - name: core.openmfp.org - path: root:openmfp-system - 3: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250516-0b27c30.accountinfos.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: AccountInfo - listKind: AccountInfoList - plural: accountinfos - singular: accountinfo - scope: Cluster - versions: - - name: v1alpha1 - schema: - description: AccountInfo is the Schema for the accountinfo API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountInfoSpec defines the desired state of Account - properties: - account: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - clusterInfo: - properties: - ca: - type: string - required: - - ca - type: object - fga: - properties: - store: - properties: - id: - type: string - required: - - id - type: object - required: - - store - type: object - organization: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - parentAccount: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - required: - - account - - clusterInfo - - fga - - organization - type: object - status: - description: AccountInfoStatus defines the observed state of AccountInfo - type: object - type: object - served: true - storage: true - subresources: - status: {} - 4: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250305-70de32b.accounts.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: Account - listKind: AccountList - plural: accounts - singular: account - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.displayName - name: Display Name - type: string - - jsonPath: .spec.type - name: Type - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1alpha1 - schema: - description: Account is the Schema for the accounts API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountSpec defines the desired state of Account - properties: - creator: - description: The initial creator of this account - type: string - data: - description: Additional information that should be stored with the account - x-kubernetes-preserve-unknown-fields: true - description: - description: An optional description for this account - type: string - displayName: - description: The display name for this account - maxLength: 255 - type: string - extensions: - items: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadataGoTemplate: - x-kubernetes-preserve-unknown-fields: true - readyConditionType: - description: |- - The type of a condition that must be set to True on the Extension object - for the extension to be considered reconciled and ready. If this is empty, - the extension is considered ready. - type: string - specGoTemplate: - x-kubernetes-preserve-unknown-fields: true - required: - - specGoTemplate - type: object - type: array - type: - description: Type specifies the intended type for this Account object. - enum: - - org - - account - type: string - required: - - displayName - - type - type: object - status: - description: AccountStatus defines the observed state of Account - properties: - conditions: - items: - description: |- - Condition contains details for one aspect of the current state of this API Resource. - --- - This struct is intended for direct use as an array at the field path .status.conditions. For example, - - - type FooStatus struct{ - // Represents the observations of a foo's current state. - // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" - // +patchMergeKey=type - // +patchStrategy=merge - // +listType=map - // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - - - // other fields - } - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - nextReconcileTime: - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - 5: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: account-operator - rules: - - apiGroups: - - core.openmfp.io - resources: - - accounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - core.openmfp.io - resources: - - accounts - - accounts/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - namespaces - - events - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - 6: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: account-operator - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: account-operator - subjects: - - kind: ServiceAccount - name: account-operator - namespace: NAMESPACE - 7: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert - name: account-operator - spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app: account-operator - template: - metadata: - annotations: - traffic.sidecar.istio.io/excludeInboundPorts: "9443" - labels: - app: account-operator - control-plane: controller-manager - spec: - automountServiceAccountToken: true - containers: - - args: - - operator - - --leader-elect - - --metrics-bind-address=:9090 - - --health-probe-bind-address=:8090 - - --log-level=warn - - --region=local - - --environment=local - - --image-tag=0.0.0 - - --image-name="ghcr.io/openmfp/account-operator" - - --shutdown-timeout=1m - - --max-concurrent-reconciles=10 - - --webhooks-enabled - - --webhooks-cert-dir=/certs - env: - - name: SUBROUTINES_NAMESPACE_ENABLED - value: "true" - - name: SUBROUTINES_FGA_ENABLED - value: "true" - - name: SUBROUTINES_FGA_GRPC_ADDR - value: openmfp-openfga:8081 - - name: SUBROUTINES_FGA_ROOT_NAMESPACE - value: openmfp-root - - name: SUBROUTINES_FGA_OBJECT_TYPE - value: account - - name: SUBROUTINES_FGA_PARENT_RELATION - value: parent - - name: SUBROUTINES_FGA_CREATOR_RELATION - value: owner - - name: SUBROUTINES_EXTENSION_ENABLED - value: "true" - - name: SUBROUTINES_EXTENSION_READY_ENABLED - value: "true" - - name: KCP_ENABLED - value: "false" - - name: KCP_VIRTUAL_WORKSPACE_URL - value: "" - - name: KCP_API_EXPORT_ENDPOINT_SLICE_NAME - value: core.openmfp.org - image: ghcr.io/openmfp/account-operator:0.0.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 1 - httpGet: - path: /healthz - port: 8090 - periodSeconds: 10 - name: account-operator - ports: - - containerPort: 9090 - name: metrics - protocol: TCP - - containerPort: 8090 - name: health-port - protocol: TCP - - containerPort: 9443 - name: webhook-port - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8090 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 260m - memory: 512Mi - requests: - cpu: 150m - memory: 128Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /readyz - port: 8090 - periodSeconds: 10 - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - hostAliases: - - hostnames: - - kcp.dev.local - ip: 10.96.0.100 - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: account-operator - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: account-operator-webhook-server-cert - 8: | - apiVersion: v1 - imagePullSecrets: - - name: github - kind: ServiceAccount - metadata: - name: account-operator - 9: | - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: account-operator-selfsigned-issuer - spec: - selfSigned: {} - 10: | - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: account-operator-serving-cert - spec: - dnsNames: - - account-operator-webhook.NAMESPACE.svc - - account-operator-webhook.NAMESPACE.svc.cluster.local - issuerRef: - kind: Issuer - name: account-operator-selfsigned-issuer - secretName: account-operator-webhook-server-cert - 11: | - apiVersion: v1 - kind: Service - metadata: - name: account-operator-webhook - spec: - ports: - - port: 9443 - protocol: TCP - targetPort: 9443 - selector: - app: account-operator -operator match the snapshot (with kubeconfigSecret): - 1: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExport - metadata: - creationTimestamp: null - name: core.openmfp.org - spec: - latestResourceSchemas: - - v250516-0b27c30.accountinfos.core.openmfp.org - - v250305-70de32b.accounts.core.openmfp.org - permissionClaims: - - all: true - resource: namespaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspacetypes - status: {} - 2: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExportEndpointSlice - metadata: - name: core.openmfp.org - spec: - export: - name: core.openmfp.org - path: root:openmfp-system - 3: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250516-0b27c30.accountinfos.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: AccountInfo - listKind: AccountInfoList - plural: accountinfos - singular: accountinfo - scope: Cluster - versions: - - name: v1alpha1 - schema: - description: AccountInfo is the Schema for the accountinfo API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountInfoSpec defines the desired state of Account - properties: - account: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - clusterInfo: - properties: - ca: - type: string - required: - - ca - type: object - fga: - properties: - store: - properties: - id: - type: string - required: - - id - type: object - required: - - store - type: object - organization: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - parentAccount: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - required: - - account - - clusterInfo - - fga - - organization - type: object - status: - description: AccountInfoStatus defines the observed state of AccountInfo - type: object - type: object - served: true - storage: true - subresources: - status: {} - 4: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250305-70de32b.accounts.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: Account - listKind: AccountList - plural: accounts - singular: account - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.displayName - name: Display Name - type: string - - jsonPath: .spec.type - name: Type - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1alpha1 - schema: - description: Account is the Schema for the accounts API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountSpec defines the desired state of Account - properties: - creator: - description: The initial creator of this account - type: string - data: - description: Additional information that should be stored with the account - x-kubernetes-preserve-unknown-fields: true - description: - description: An optional description for this account - type: string - displayName: - description: The display name for this account - maxLength: 255 - type: string - extensions: - items: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadataGoTemplate: - x-kubernetes-preserve-unknown-fields: true - readyConditionType: - description: |- - The type of a condition that must be set to True on the Extension object - for the extension to be considered reconciled and ready. If this is empty, - the extension is considered ready. - type: string - specGoTemplate: - x-kubernetes-preserve-unknown-fields: true - required: - - specGoTemplate - type: object - type: array - type: - description: Type specifies the intended type for this Account object. - enum: - - org - - account - type: string - required: - - displayName - - type - type: object - status: - description: AccountStatus defines the observed state of Account - properties: - conditions: - items: - description: |- - Condition contains details for one aspect of the current state of this API Resource. - --- - This struct is intended for direct use as an array at the field path .status.conditions. For example, - - - type FooStatus struct{ - // Represents the observations of a foo's current state. - // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" - // +patchMergeKey=type - // +patchStrategy=merge - // +listType=map - // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - - - // other fields - } - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - nextReconcileTime: - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - 5: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: account-operator - rules: - - apiGroups: - - core.openmfp.io - resources: - - accounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - core.openmfp.io - resources: - - accounts - - accounts/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - namespaces - - events - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - 6: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: account-operator - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: account-operator - subjects: - - kind: ServiceAccount - name: account-operator - namespace: NAMESPACE - 7: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert - name: account-operator - spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app: account-operator - template: - metadata: - annotations: - traffic.sidecar.istio.io/excludeInboundPorts: "9443" - labels: - app: account-operator - control-plane: controller-manager - spec: - automountServiceAccountToken: true - containers: - - args: - - operator - - --leader-elect - - --metrics-bind-address=:9090 - - --health-probe-bind-address=:8090 - - --log-level=warn - - --region=local - - --environment=local - - --image-tag=0.0.0 - - --image-name="ghcr.io/openmfp/account-operator" - - --shutdown-timeout=1m - - --max-concurrent-reconciles=10 - - --webhooks-enabled - - --webhooks-cert-dir=/certs - env: - - name: SUBROUTINES_NAMESPACE_ENABLED - value: "true" - - name: SUBROUTINES_FGA_ENABLED - value: "true" - - name: SUBROUTINES_FGA_GRPC_ADDR - value: openmfp-openfga:8081 - - name: SUBROUTINES_FGA_ROOT_NAMESPACE - value: openmfp-root - - name: SUBROUTINES_FGA_OBJECT_TYPE - value: account - - name: SUBROUTINES_FGA_PARENT_RELATION - value: parent - - name: SUBROUTINES_FGA_CREATOR_RELATION - value: owner - - name: SUBROUTINES_EXTENSION_ENABLED - value: "true" - - name: SUBROUTINES_EXTENSION_READY_ENABLED - value: "true" - - name: KCP_ENABLED - value: "false" - - name: KCP_VIRTUAL_WORKSPACE_URL - value: "" - - name: KCP_API_EXPORT_ENDPOINT_SLICE_NAME - value: core.openmfp.org - - name: KUBECONFIG - value: /api-kubeconfig/kubeconfig - image: ghcr.io/openmfp/account-operator:0.0.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 1 - httpGet: - path: /healthz - port: 8090 - periodSeconds: 10 - name: account-operator - ports: - - containerPort: 9090 - name: metrics - protocol: TCP - - containerPort: 8090 - name: health-port - protocol: TCP - - containerPort: 9443 - name: webhook-port - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8090 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - memory: 512Mi - requests: - cpu: 40m - memory: 50Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /readyz - port: 8090 - periodSeconds: 10 - volumeMounts: - - mountPath: /api-kubeconfig - name: external-api-server - - mountPath: /certs - name: cert - readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: account-operator - terminationGracePeriodSeconds: 10 - volumes: - - name: external-api-server - secret: - secretName: kubeconfig - - name: cert - secret: - defaultMode: 420 - secretName: account-operator-webhook-server-cert - 8: | - apiVersion: v1 - imagePullSecrets: - - name: github - kind: ServiceAccount - metadata: - name: account-operator - 9: | - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: account-operator-selfsigned-issuer - spec: - selfSigned: {} - 10: | - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: account-operator-serving-cert - spec: - dnsNames: - - account-operator-webhook.NAMESPACE.svc - - account-operator-webhook.NAMESPACE.svc.cluster.local - issuerRef: - kind: Issuer - name: account-operator-selfsigned-issuer - secretName: account-operator-webhook-server-cert - 11: | - apiVersion: v1 - kind: Service - metadata: - name: account-operator-webhook - spec: - ports: - - port: 9443 - protocol: TCP - targetPort: 9443 - selector: - app: account-operator -operator match the snapshot with webhook enabled: - 1: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExport - metadata: - creationTimestamp: null - name: core.openmfp.org - spec: - latestResourceSchemas: - - v250516-0b27c30.accountinfos.core.openmfp.org - - v250305-70de32b.accounts.core.openmfp.org - permissionClaims: - - all: true - resource: namespaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspaces - - all: true - group: tenancy.kcp.io - identityHash: "" - resource: workspacetypes - status: {} - 2: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIExportEndpointSlice - metadata: - name: core.openmfp.org - spec: - export: - name: core.openmfp.org - path: root:openmfp-system - 3: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250516-0b27c30.accountinfos.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: AccountInfo - listKind: AccountInfoList - plural: accountinfos - singular: accountinfo - scope: Cluster - versions: - - name: v1alpha1 - schema: - description: AccountInfo is the Schema for the accountinfo API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountInfoSpec defines the desired state of Account - properties: - account: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - clusterInfo: - properties: - ca: - type: string - required: - - ca - type: object - fga: - properties: - store: - properties: - id: - type: string - required: - - id - type: object - required: - - store - type: object - organization: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - parentAccount: - properties: - generatedClusterId: - type: string - name: - type: string - originClusterId: - type: string - path: - type: string - type: - type: string - url: - type: string - required: - - generatedClusterId - - name - - originClusterId - - path - - type - - url - type: object - required: - - account - - clusterInfo - - fga - - organization - type: object - status: - description: AccountInfoStatus defines the observed state of AccountInfo - type: object - type: object - served: true - storage: true - subresources: - status: {} - 4: | - apiVersion: apis.kcp.io/v1alpha1 - kind: APIResourceSchema - metadata: - creationTimestamp: null - name: v250305-70de32b.accounts.core.openmfp.org - spec: - group: core.openmfp.org - names: - kind: Account - listKind: AccountList - plural: accounts - singular: account - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.displayName - name: Display Name - type: string - - jsonPath: .spec.type - name: Type - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1alpha1 - schema: - description: Account is the Schema for the accounts API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AccountSpec defines the desired state of Account - properties: - creator: - description: The initial creator of this account - type: string - data: - description: Additional information that should be stored with the account - x-kubernetes-preserve-unknown-fields: true - description: - description: An optional description for this account - type: string - displayName: - description: The display name for this account - maxLength: 255 - type: string - extensions: - items: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadataGoTemplate: - x-kubernetes-preserve-unknown-fields: true - readyConditionType: - description: |- - The type of a condition that must be set to True on the Extension object - for the extension to be considered reconciled and ready. If this is empty, - the extension is considered ready. - type: string - specGoTemplate: - x-kubernetes-preserve-unknown-fields: true - required: - - specGoTemplate - type: object - type: array - type: - description: Type specifies the intended type for this Account object. - enum: - - org - - account - type: string - required: - - displayName - - type - type: object - status: - description: AccountStatus defines the observed state of Account - properties: - conditions: - items: - description: |- - Condition contains details for one aspect of the current state of this API Resource. - --- - This struct is intended for direct use as an array at the field path .status.conditions. For example, - - - type FooStatus struct{ - // Represents the observations of a foo's current state. - // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" - // +patchMergeKey=type - // +patchStrategy=merge - // +listType=map - // +listMapKey=type - Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - - - // other fields - } - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - nextReconcileTime: - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - 5: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: account-operator - rules: - - apiGroups: - - core.openmfp.io - resources: - - accounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - core.openmfp.io - resources: - - accounts - - accounts/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - namespaces - - events - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - 6: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: account-operator - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: account-operator - subjects: - - kind: ServiceAccount - name: account-operator - namespace: NAMESPACE - 7: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - cert-manager.io/inject-ca-from: NAMESPACE/account-operator-serving-cert - name: account-operator - spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app: account-operator - template: - metadata: - annotations: - traffic.sidecar.istio.io/excludeInboundPorts: "9443" - labels: - app: account-operator - control-plane: controller-manager - spec: - automountServiceAccountToken: true - containers: - - args: - - operator - - --leader-elect - - --metrics-bind-address=:9090 - - --health-probe-bind-address=:8090 - - --log-level=warn - - --region=local - - --environment=local - - --image-tag=0.0.0 - - --image-name="ghcr.io/openmfp/account-operator" - - --shutdown-timeout=1m - - --max-concurrent-reconciles=10 - - --webhooks-enabled - - --webhooks-cert-dir=/certs - env: - - name: SUBROUTINES_NAMESPACE_ENABLED - value: "true" - - name: SUBROUTINES_FGA_ENABLED - value: "true" - - name: SUBROUTINES_FGA_GRPC_ADDR - value: openmfp-openfga:8081 - - name: SUBROUTINES_FGA_ROOT_NAMESPACE - value: openmfp-root - - name: SUBROUTINES_FGA_OBJECT_TYPE - value: account - - name: SUBROUTINES_FGA_PARENT_RELATION - value: parent - - name: SUBROUTINES_FGA_CREATOR_RELATION - value: owner - - name: SUBROUTINES_EXTENSION_ENABLED - value: "true" - - name: SUBROUTINES_EXTENSION_READY_ENABLED - value: "true" - - name: KCP_ENABLED - value: "false" - - name: KCP_VIRTUAL_WORKSPACE_URL - value: "" - - name: KCP_API_EXPORT_ENDPOINT_SLICE_NAME - value: core.openmfp.org - image: ghcr.io/openmfp/account-operator:0.0.0 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 1 - httpGet: - path: /healthz - port: 8090 - periodSeconds: 10 - name: account-operator - ports: - - containerPort: 9090 - name: metrics - protocol: TCP - - containerPort: 8090 - name: health-port - protocol: TCP - - containerPort: 9443 - name: webhook-port - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8090 - initialDelaySeconds: 45 - periodSeconds: 10 - resources: - limits: - cpu: 260m - memory: 512Mi - requests: - cpu: 150m - memory: 128Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz - port: 8090 - periodSeconds: 10 - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: account-operator - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: account-operator-webhook-server-cert - 8: | - apiVersion: v1 - imagePullSecrets: - - name: github - kind: ServiceAccount - metadata: - name: account-operator - 9: | - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: account-operator-selfsigned-issuer - spec: - selfSigned: {} - 10: | - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: account-operator-serving-cert - spec: - dnsNames: - - account-operator-webhook.NAMESPACE.svc - - account-operator-webhook.NAMESPACE.svc.cluster.local - issuerRef: - kind: Issuer - name: account-operator-selfsigned-issuer - secretName: account-operator-webhook-server-cert - 11: | - apiVersion: v1 - kind: Service - metadata: - name: account-operator-webhook - spec: - ports: - - port: 9443 - protocol: TCP - targetPort: 9443 - selector: - app: account-operator diff --git a/charts/account-operator/tests/deployment_test.yaml b/charts/account-operator/tests/deployment_test.yaml deleted file mode 100644 index 7c9fb1511..000000000 --- a/charts/account-operator/tests/deployment_test.yaml +++ /dev/null @@ -1,80 +0,0 @@ -suite: operator -chart: - appVersion: 0.0.0 -release: - name: account-operator -tests: - - it: operator match the snapshot - set: - # health: - # portOverride: 8080 - deployment: - resources: - limits: - cpuOverride: 260m - memoryOverride: 512Mi - requests: - cpuOverride: 150m - memoryOverride: 128Mi - hostAliases: - - hostnames: - - kcp.dev.local - ip: 10.96.0.100 - asserts: - - matchSnapshot: {} - - it: operator match the snapshot (with kubeconfigSecret) - set: - kubeconfigSecret: "kubeconfig" - asserts: - - matchSnapshot: {} - - it: operator match the snapshot with webhook enabled - set: - health: - # portOverride: 8081 - liveness: - pathOverride: "/healthz" - # failureThreshold: 1 - startup: - pathOverride: "/healthz" - readiness: - initialDelaySecondsOverride: 45 - webhooks: - enabled: true - certDir: /certs - deployment: - resources: - limits: - cpuOverride: 260m - memoryOverride: 512Mi - requests: - cpuOverride: 150m - memoryOverride: 128Mi - asserts: - - matchSnapshot: {} - - it: deployment with security context - template: deployment.yaml - set: - security: - mountServiceAccountToken: true - asserts: - - equal: - path: spec.template.spec.securityContext - value: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - equal: - path: spec.template.spec.serviceAccountName - value: account-operator - - equal: - path: spec.template.spec.automountServiceAccountToken - value: true - - it: deployment with tracing - template: deployment.yaml - set: - tracing: - enabled: true - collector: - endpoint: test:4317 - asserts: - - matchSnapshot: {} diff --git a/charts/account-operator/values.yaml b/charts/account-operator/values.yaml deleted file mode 100644 index e2ff9468b..000000000 --- a/charts/account-operator/values.yaml +++ /dev/null @@ -1,70 +0,0 @@ -image: - # -- The image repository - name: ghcr.io/openmfp/account-operator - # Overwrite image.tag to use a different image tag then .chart.appVersion - # tag: latest - -crds: - # -- Enable CRDs - enabled: true - -webhooks: - # -- Enable webhooks - enabled: true - - # -- Register webhooks, flag to toggle if webhooks should be registered on the runtime cluster - register: false - # -- The directory for webhook certificates - certDir: /certs - -# -- The KCP configuration -kcp: - # -- Enable KCP - enabled: false - # -- The URL for the virtual workspace - virtualWorkspaceUrl: "" - # -- KCP APIExportEndpointSliceName - apiExportEndpointSliceName: "core.openmfp.org" - -subroutines: - namespace: - # -- Enable namespace subroutines - enabled: true - fga: - # -- Enable FGA subroutines - enabled: true - # -- The gRPC address for FGA - grpcAddr: openmfp-openfga:8081 - # -- The root namespace for FGA - rootNamespace: openmfp-root - # -- The object type for FGA - objectType: account - # -- The parent relation for FGA - parentRelation: parent - # -- The creator relation for FGA - creatorRelation: owner - extension: - # -- Enable extension subroutines - enabled: true - extensionReady: - # -- Enable extension ready subroutines - enabled: true - -# -- The secret for kubeconfig -kubeconfigSecret: "" - -security: - # -- Mount the service account token - mountServiceAccountToken: true - -deployment: - specTemplate: - # -- The annotations for the deployment - annotations: {} - # -- The labels for the deployment - labels: {} - - hostAliases: [] -# - hostnames: -# - kcp.dev.local -# ip: 10.96.0.100