From 8607c7a82d2d867fceb6ae20e7e8bae52f186b4d Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Thu, 25 Jul 2024 17:32:39 -0700 Subject: [PATCH 1/4] refactor: create root level HelmConfig struct which applies to all HelmReleases --- api/v1alpha1/validatorconfig_types.go | 20 +++--- api/v1alpha1/zz_generated.deepcopy.go | 10 +-- ...on.spectrocloud.labs_validatorconfigs.yaml | 61 ++++++++++--------- .../controller/validatorconfig_controller.go | 45 +++++++------- .../validatorconfig_controller_test.go | 13 ++-- 5 files changed, 76 insertions(+), 73 deletions(-) diff --git a/api/v1alpha1/validatorconfig_types.go b/api/v1alpha1/validatorconfig_types.go index 7c7808cb..8248f3cd 100644 --- a/api/v1alpha1/validatorconfig_types.go +++ b/api/v1alpha1/validatorconfig_types.go @@ -23,6 +23,9 @@ import ( // ValidatorConfigSpec defines the desired state of ValidatorConfig. type ValidatorConfigSpec struct { + // HelmConfig defines the configuration for the Helm repository. + HelmConfig HelmConfig `json:"helmConfig" yaml:"helmConfig"` + // Plugins defines the configuration for the validator plugins. Plugins []HelmRelease `json:"plugins,omitempty" yaml:"plugins,omitempty"` @@ -42,24 +45,21 @@ type Sink struct { // HelmRelease defines the configuration for a Helm chart release. type HelmRelease struct { - // Chart defines the Helm chart to be installed. - Chart HelmChart `json:"chart" yaml:"chart"` + // Name of the Helm chart. + Name string `json:"name" yaml:"name"` + + // Version of the Helm chart. + Version string `json:"version" yaml:"version"` // Values defines the values to be passed to the Helm chart. Values string `json:"values" yaml:"values"` } -// HelmChart defines the configuration for a Helm chart. -type HelmChart struct { - // Name of the Helm chart. - Name string `json:"name" yaml:"name"` - +// HelmConfig defines the configuration for a Helm repository. +type HelmConfig struct { // Repository URL of the Helm chart. Repository string `json:"repository" yaml:"repository"` - // Version of the Helm chart. - Version string `json:"version" yaml:"version"` - // CAFile is the path to the CA certificate for the Helm repository. CAFile string `json:"caFile,omitempty" yaml:"caFile,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 3132678a..84e128c0 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -26,16 +26,16 @@ import ( ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HelmChart) DeepCopyInto(out *HelmChart) { +func (in *HelmConfig) DeepCopyInto(out *HelmConfig) { *out = *in } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChart. -func (in *HelmChart) DeepCopy() *HelmChart { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmConfig. +func (in *HelmConfig) DeepCopy() *HelmConfig { if in == nil { return nil } - out := new(HelmChart) + out := new(HelmConfig) in.DeepCopyInto(out) return out } @@ -43,7 +43,6 @@ func (in *HelmChart) DeepCopy() *HelmChart { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HelmRelease) DeepCopyInto(out *HelmRelease) { *out = *in - out.Chart = in.Chart } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRelease. @@ -262,6 +261,7 @@ func (in *ValidatorConfigList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ValidatorConfigSpec) DeepCopyInto(out *ValidatorConfigSpec) { *out = *in + out.HelmConfig = in.HelmConfig if in.Plugins != nil { in, out := &in.Plugins, &out.Plugins *out = make([]HelmRelease, len(*in)) diff --git a/config/crd/bases/validation.spectrocloud.labs_validatorconfigs.yaml b/config/crd/bases/validation.spectrocloud.labs_validatorconfigs.yaml index e1e422f6..508052eb 100644 --- a/config/crd/bases/validation.spectrocloud.labs_validatorconfigs.yaml +++ b/config/crd/bases/validation.spectrocloud.labs_validatorconfigs.yaml @@ -39,48 +39,47 @@ spec: spec: description: ValidatorConfigSpec defines the desired state of ValidatorConfig. properties: + helmConfig: + description: HelmConfig defines the configuration for the Helm repository. + properties: + authSecretName: + description: AuthSecretName is the name of the K8s secret containing + the authentication details for the Helm repository. + type: string + caFile: + description: CAFile is the path to the CA certificate for the + Helm repository. + type: string + insecureSkipVerify: + description: InsecureSkipTLSVerify skips the verification of the + server's certificate chain and host name. + type: boolean + repository: + description: Repository URL of the Helm chart. + type: string + required: + - repository + type: object plugins: description: Plugins defines the configuration for the validator plugins. items: description: HelmRelease defines the configuration for a Helm chart release. properties: - chart: - description: Chart defines the Helm chart to be installed. - properties: - authSecretName: - description: AuthSecretName is the name of the K8s secret - containing the authentication details for the Helm repository. - type: string - caFile: - description: CAFile is the path to the CA certificate for - the Helm repository. - type: string - insecureSkipVerify: - description: InsecureSkipTLSVerify skips the verification - of the server's certificate chain and host name. - type: boolean - name: - description: Name of the Helm chart. - type: string - repository: - description: Repository URL of the Helm chart. - type: string - version: - description: Version of the Helm chart. - type: string - required: - - name - - repository - - version - type: object + name: + description: Name of the Helm chart. + type: string values: description: Values defines the values to be passed to the Helm chart. type: string + version: + description: Version of the Helm chart. + type: string required: - - chart + - name - values + - version type: object type: array sink: @@ -100,6 +99,8 @@ spec: - secretName - type type: object + required: + - helmConfig type: object status: description: ValidatorConfigStatus defines the observed state of ValidatorConfig diff --git a/internal/controller/validatorconfig_controller.go b/internal/controller/validatorconfig_controller.go index 2cc1a4a1..2a96e64b 100644 --- a/internal/controller/validatorconfig_controller.go +++ b/internal/controller/validatorconfig_controller.go @@ -150,40 +150,41 @@ func (r *ValidatorConfigReconciler) redeployIfNeeded(ctx context.Context, vc *v1 specPlugins := make(map[string]bool) conditions := make([]v1alpha1.ValidatorPluginCondition, len(vc.Spec.Plugins)) + helmConfig := vc.Spec.HelmConfig for i, p := range vc.Spec.Plugins { - specPlugins[p.Chart.Name] = true + specPlugins[p.Name] = true // update plugin's values hash valuesUnchanged := r.updatePluginHash(vc, p) // skip plugin if already deployed & no change in values - condition, ok := isConditionTrue(vc, p.Chart.Name, v1alpha1.HelmChartDeployedCondition) + condition, ok := isConditionTrue(vc, p.Name, v1alpha1.HelmChartDeployedCondition) if ok && valuesUnchanged { - r.Log.V(0).Info("Values unchanged. Skipping upgrade for plugin Helm chart", "namespace", vc.Namespace, "name", p.Chart.Name) + r.Log.V(0).Info("Values unchanged. Skipping upgrade for plugin Helm chart", "namespace", vc.Namespace, "name", p.Name) conditions[i] = condition continue } opts := &helm.Options{ - Chart: p.Chart.Name, - Repo: p.Chart.Repository, - Version: p.Chart.Version, + Chart: p.Name, + Repo: helmConfig.Repository, + Version: p.Version, Values: p.Values, - InsecureSkipTLSVerify: p.Chart.InsecureSkipTLSVerify, + InsecureSkipTLSVerify: helmConfig.InsecureSkipTLSVerify, } - if p.Chart.AuthSecretName != "" { - nn := types.NamespacedName{Name: p.Chart.AuthSecretName, Namespace: vc.Namespace} + if helmConfig.AuthSecretName != "" { + nn := types.NamespacedName{Name: helmConfig.AuthSecretName, Namespace: vc.Namespace} if err := r.configureHelmOpts(ctx, nn, opts); err != nil { r.Log.V(0).Error(err, "failed to configure basic auth for Helm upgrade") - conditions[i] = r.buildHelmChartCondition(p.Chart.Name, err) + conditions[i] = r.buildHelmChartCondition(p.Name, err) continue } } var cleanupLocalChart bool - if strings.HasPrefix(p.Chart.Repository, oci.Scheme) { - r.Log.V(0).Info("Pulling plugin Helm chart", "name", p.Chart.Name) + if strings.HasPrefix(helmConfig.Repository, oci.Scheme) { + r.Log.V(0).Info("Pulling plugin Helm chart", "name", p.Name) opts.Path = fmt.Sprintf("/charts/%s", opts.Chart) opts.Version = strings.TrimPrefix(opts.Version, "v") @@ -196,7 +197,7 @@ func (r *ValidatorConfigReconciler) redeployIfNeeded(ctx context.Context, vc *v1 ) if err != nil { r.Log.V(0).Error(err, "failed to create OCI client") - conditions[i] = r.buildHelmChartCondition(p.Chart.Name, err) + conditions[i] = r.buildHelmChartCondition(p.Name, err) continue } ociOpts := oci.ImageOptions{ @@ -206,27 +207,27 @@ func (r *ValidatorConfigReconciler) redeployIfNeeded(ctx context.Context, vc *v1 } if err := ociClient.PullChart(ociOpts); err != nil { r.Log.V(0).Error(err, "failed to pull Helm chart from OCI registry") - conditions[i] = r.buildHelmChartCondition(p.Chart.Name, err) + conditions[i] = r.buildHelmChartCondition(p.Name, err) continue } - r.Log.V(0).Info("Reconfiguring Helm options to deploy local chart", "name", p.Chart.Name) + r.Log.V(0).Info("Reconfiguring Helm options to deploy local chart", "name", p.Name) opts.Path = fmt.Sprintf("%s/%s.tgz", opts.Path, opts.Chart) opts.Chart = "" cleanupLocalChart = true } - r.Log.V(0).Info("Installing/upgrading plugin Helm chart", "namespace", vc.Namespace, "name", p.Chart.Name) - err := r.HelmClient.Upgrade(p.Chart.Name, vc.Namespace, *opts) + r.Log.V(0).Info("Installing/upgrading plugin Helm chart", "namespace", vc.Namespace, "name", p.Name) + err := r.HelmClient.Upgrade(p.Name, vc.Namespace, *opts) if err != nil { // if Helm install/upgrade failed, delete the release so installation is reattempted each iteration if strings.Contains(err.Error(), "has no deployed releases") { - if err := r.HelmClient.Delete(p.Chart.Name, vc.Namespace); err != nil { + if err := r.HelmClient.Delete(p.Name, vc.Namespace); err != nil { r.Log.V(0).Error(err, "failed to delete Helm release") } } } - conditions[i] = r.buildHelmChartCondition(p.Chart.Name, err) + conditions[i] = r.buildHelmChartCondition(p.Name, err) if cleanupLocalChart { r.Log.V(0).Info("Cleaning up local chart directory", "path", opts.Path) @@ -290,7 +291,7 @@ func (r *ValidatorConfigReconciler) updatePluginHash(vc *v1alpha1.ValidatorConfi valuesUnchanged := false pluginValuesHashLatest := sha256.Sum256([]byte(p.Values)) pluginValuesHashLatestB64 := base64.StdEncoding.EncodeToString(pluginValuesHashLatest[:]) - key := getPluginHashKey(p.Chart.Name) + key := getPluginHashKey(p.Name) pluginValuesHash, ok := vc.Annotations[key] if ok { @@ -310,7 +311,7 @@ func getPluginHashKey(pluginName string) string { func (r *ValidatorConfigReconciler) deletePlugins(ctx context.Context, vc *v1alpha1.ValidatorConfig) error { var wg sync.WaitGroup for _, p := range vc.Spec.Plugins { - release, err := r.HelmReleaseClient.Get(ctx, p.Chart.Name, vc.Namespace) + release, err := r.HelmReleaseClient.Get(ctx, p.Name, vc.Namespace) if err != nil { if !apierrs.IsNotFound(err) { return err @@ -325,7 +326,7 @@ func (r *ValidatorConfigReconciler) deletePlugins(ctx context.Context, vc *v1alp go func(name string) { defer wg.Done() r.deletePlugin(vc, name) - }(p.Chart.Name) + }(p.Name) } wg.Wait() diff --git a/internal/controller/validatorconfig_controller_test.go b/internal/controller/validatorconfig_controller_test.go index 8b8388ec..6a3470a1 100644 --- a/internal/controller/validatorconfig_controller_test.go +++ b/internal/controller/validatorconfig_controller_test.go @@ -103,7 +103,7 @@ var _ = Describe("ValidatorConfig controller", Ordered, func() { if err := k8sClient.Get(ctx, vcKey, vc); err != nil { return false } - vc.Spec.Plugins[0].Chart.Version = networkPluginVersionPost + vc.Spec.Plugins[0].Version = networkPluginVersionPost vc.Spec.Plugins[0].Values = strings.ReplaceAll( vc.Spec.Plugins[0].Values, networkPluginVersionPre, networkPluginVersionPost, ) @@ -147,13 +147,14 @@ var _ = Describe("ValidatorConfig controller", Ordered, func() { Namespace: validatorNamespace, }, Spec: v1alpha1.ValidatorConfigSpec{ + + HelmConfig: v1alpha1.HelmConfig{ + Repository: "bar", + AuthSecretName: "chart-secret", + }, Plugins: []v1alpha1.HelmRelease{ { - Chart: v1alpha1.HelmChart{ - Name: "foo", - Repository: "bar", - AuthSecretName: "chart-secret", - }, + Name: "foo", }, }, }, From 1815eea8461f6f9b3ac8bd85695ed74588ee77ae Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Thu, 25 Jul 2024 18:00:03 -0700 Subject: [PATCH 2/4] fix: ensure plugin repo and name are used to deploy plugin --- internal/controller/testdata/vc-network.yaml | 10 +++++----- internal/controller/validatorconfig_controller.go | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/controller/testdata/vc-network.yaml b/internal/controller/testdata/vc-network.yaml index f112ecff..240b4529 100644 --- a/internal/controller/testdata/vc-network.yaml +++ b/internal/controller/testdata/vc-network.yaml @@ -9,12 +9,12 @@ metadata: name: validator-config-test namespace: validator spec: + helmConfig: + repository: https://validator-labs.github.io + authSecretName: validator-plugin-network-chart-secret plugins: - - chart: - name: validator-plugin-network - repository: https://validator-labs.github.io/validator-plugin-network - authSecretName: validator-plugin-network-chart-secret - version: v0.0.15 + - name: validator-plugin-network + version: v0.0.15 values: |- controllerManager: kubeRbacProxy: diff --git a/internal/controller/validatorconfig_controller.go b/internal/controller/validatorconfig_controller.go index 2a96e64b..48b10db0 100644 --- a/internal/controller/validatorconfig_controller.go +++ b/internal/controller/validatorconfig_controller.go @@ -167,7 +167,7 @@ func (r *ValidatorConfigReconciler) redeployIfNeeded(ctx context.Context, vc *v1 opts := &helm.Options{ Chart: p.Name, - Repo: helmConfig.Repository, + Repo: fmt.Sprintf("%s/%s", helmConfig.Repository, p.Name), Version: p.Version, Values: p.Values, InsecureSkipTLSVerify: helmConfig.InsecureSkipTLSVerify, From aa6afe633640f09f8c82014c37e77ea9a4c8cc30 Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Thu, 25 Jul 2024 18:50:53 -0700 Subject: [PATCH 3/4] chore: make reviewable --- chart/validator/README.md | 3 ++- chart/validator/values.yaml | 45 ++++++++++++++----------------------- hack/chart/values-base.yaml | 3 +++ hack/update-versions.sh | 8 +++---- hauler-manifest.yaml | 2 +- 5 files changed, 26 insertions(+), 35 deletions(-) diff --git a/chart/validator/README.md b/chart/validator/README.md index ba1b8958..6eac33ae 100644 --- a/chart/validator/README.md +++ b/chart/validator/README.md @@ -51,7 +51,8 @@ The following table lists the configurable parameters of the Validator chart and | `pluginSecrets.vSphere` | Don't forget to delete these curly braces if you're specifying credentials here! | `{}` | | `pluginSecrets.oci.auth` | Don't forget to delete these square brackets if you're specifying credentials here! | `[]` | | `pluginSecrets.oci.pubKeys` | Don't forget to delete these square brackets if you're specifying public keys here! | `[]` | -| `plugins` | | `[{"chart": {"name": "validator-plugin-azure", "repository": "https://validator-labs.github.io/validator-plugin-azure", "version": "v0.0.13"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-azure\n tag: v0.0.13\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (e.g., WorkloadIdentity credentials)\n secret: {}\n # Specify the name of a secret in your cluster that contains Azure credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-azure.yaml\n # secretName: azure-creds\n\n # Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS)\n # WARNING: the chosen service account must include all RBAC privileges found in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"chart": {"name": "validator-plugin-oci", "repository": "https://validator-labs.github.io/validator-plugin-oci", "version": "v0.0.11"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-oci\n tag: v0.0.11\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"chart": {"name": "validator-plugin-kubescape", "repository": "https://validator-labs.github.io/validator-plugin-kubescape", "version": "v0.0.3"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-kubescape\n tag: v0.0.3\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"chart": {"name": "validator-plugin-aws", "repository": "https://validator-labs.github.io/validator-plugin-aws", "version": "v0.1.1"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-aws\n tag: v0.1.1\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (node instance IAM role, IAM roles for Service Accounts, etc.)\n secret: {}\n # Specify the name of a secret in your cluster that contains AWS credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-aws.yaml\n # secretName: aws-creds\n\n # Override the service account used by AWS validator (optional, could be used for IAM roles for Service Accounts)\n # WARNING: the chosen service account must have the same RBAC privileges as seen in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"chart": {"name": "validator-plugin-network", "repository": "https://validator-labs.github.io/validator-plugin-network", "version": "v0.0.19"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - NET_RAW\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-network\n tag: v0.0.19\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"chart": {"name": "validator-plugin-maas", "repository": "https://validator-labs.github.io/validator-plugin-maas", "version": "v0.0.4"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-maas\n tag: v0.0.4\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"chart": {"name": "validator-plugin-vsphere", "repository": "https://validator-labs.github.io/validator-plugin-vsphere", "version": "v0.0.27"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --metrics-bind-address=127.0.0.1:8080\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-vsphere\n tag: v0.0.27\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Specify the name of a secret in your cluster that contains vSphere credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-vsphere.yaml\n secretName: vsphere-credentials"}]` | +| `helmConfig.repository` | | `"https://validator-labs.github.io"` | +| `plugins` | | `[{"name": "validator-plugin-azure", "version": "v0.0.13", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-azure\n tag: v0.0.13\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (e.g., WorkloadIdentity credentials)\n secret: {}\n # Specify the name of a secret in your cluster that contains Azure credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-azure.yaml\n # secretName: azure-creds\n\n # Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS)\n # WARNING: the chosen service account must include all RBAC privileges found in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"name": "validator-plugin-oci", "version": "v0.0.11", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-oci\n tag: v0.0.11\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-kubescape", "version": "v0.0.3", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-kubescape\n tag: v0.0.3\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-aws", "version": "v0.1.1", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-aws\n tag: v0.1.1\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (node instance IAM role, IAM roles for Service Accounts, etc.)\n secret: {}\n # Specify the name of a secret in your cluster that contains AWS credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-aws.yaml\n # secretName: aws-creds\n\n # Override the service account used by AWS validator (optional, could be used for IAM roles for Service Accounts)\n # WARNING: the chosen service account must have the same RBAC privileges as seen in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"name": "validator-plugin-network", "version": "v0.0.19", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - NET_RAW\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-network\n tag: v0.0.19\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-maas", "version": "v0.0.4", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-maas\n tag: v0.0.4\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-vsphere", "version": "v0.0.27", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --metrics-bind-address=127.0.0.1:8080\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-vsphere\n tag: v0.0.27\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Specify the name of a secret in your cluster that contains vSphere credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-vsphere.yaml\n secretName: vsphere-credentials"}]` | diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml index a73bfa69..918102de 100644 --- a/chart/validator/values.yaml +++ b/chart/validator/values.yaml @@ -185,12 +185,13 @@ pluginSecrets: # # -----END PUBLIC KEY----- +helmConfig: + repository: "https://validator-labs.github.io" + # Validation plugin charts plugins: -- chart: - name: validator-plugin-azure - repository: "https://validator-labs.github.io/validator-plugin-azure" - version: v0.0.13 +- name: validator-plugin-azure + version: v0.0.13 values: |- controllerManager: kubeRbacProxy: @@ -262,10 +263,8 @@ plugins: # Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS) # WARNING: the chosen service account must include all RBAC privileges found in templates/manager-rbac.yaml serviceAccountName: "" -- chart: - name: validator-plugin-oci - repository: "https://validator-labs.github.io/validator-plugin-oci" - version: v0.0.11 +- name: validator-plugin-oci + version: v0.0.11 values: |- controllerManager: kubeRbacProxy: @@ -319,10 +318,8 @@ plugins: protocol: TCP targetPort: https type: ClusterIP -- chart: - name: validator-plugin-kubescape - repository: "https://validator-labs.github.io/validator-plugin-kubescape" - version: v0.0.3 +- name: validator-plugin-kubescape + version: v0.0.3 values: |- controllerManager: kubeRbacProxy: @@ -384,10 +381,8 @@ plugins: protocol: TCP targetPort: https type: ClusterIP -- chart: - name: validator-plugin-aws - repository: "https://validator-labs.github.io/validator-plugin-aws" - version: v0.1.1 +- name: validator-plugin-aws + version: v0.1.1 values: |- controllerManager: kubeRbacProxy: @@ -451,10 +446,8 @@ plugins: # Override the service account used by AWS validator (optional, could be used for IAM roles for Service Accounts) # WARNING: the chosen service account must have the same RBAC privileges as seen in templates/manager-rbac.yaml serviceAccountName: "" -- chart: - name: validator-plugin-network - repository: "https://validator-labs.github.io/validator-plugin-network" - version: v0.0.19 +- name: validator-plugin-network + version: v0.0.19 values: |- controllerManager: kubeRbacProxy: @@ -510,10 +503,8 @@ plugins: protocol: TCP targetPort: https type: ClusterIP -- chart: - name: validator-plugin-maas - repository: "https://validator-labs.github.io/validator-plugin-maas" - version: v0.0.4 +- name: validator-plugin-maas + version: v0.0.4 values: |- controllerManager: kubeRbacProxy: @@ -567,10 +558,8 @@ plugins: protocol: TCP targetPort: https type: ClusterIP -- chart: - name: validator-plugin-vsphere - repository: "https://validator-labs.github.io/validator-plugin-vsphere" - version: v0.0.27 +- name: validator-plugin-vsphere + version: v0.0.27 values: |- controllerManager: kubeRbacProxy: diff --git a/hack/chart/values-base.yaml b/hack/chart/values-base.yaml index d867de12..ce9735a2 100644 --- a/hack/chart/values-base.yaml +++ b/hack/chart/values-base.yaml @@ -185,5 +185,8 @@ pluginSecrets: # # -----END PUBLIC KEY----- +helmConfig: + repository: "https://validator-labs.github.io" + # Validation plugin charts plugins: diff --git a/hack/update-versions.sh b/hack/update-versions.sh index 0da6b714..5080dcc4 100755 --- a/hack/update-versions.sh +++ b/hack/update-versions.sh @@ -25,10 +25,8 @@ function addChartValues { # Append the plugin's values to chart/validator/values.yaml cat <> chart/validator/values.yaml -- chart: - name: $1 - repository: "https://validator-labs.github.io/$1" - version: v$2 +- name: $1 + version: v$2 values: |- $indentedValues EOF @@ -65,4 +63,4 @@ versions["oci"]=$OCI_VERSION versions["vsphere"]=$VSPHERE_VERSION updateHaulerManifest -updateValues \ No newline at end of file +updateValues diff --git a/hauler-manifest.yaml b/hauler-manifest.yaml index 3ae2fe76..562a98d5 100644 --- a/hauler-manifest.yaml +++ b/hauler-manifest.yaml @@ -57,4 +57,4 @@ metadata: spec: files: - name: validatorctl - path: https://github.com/validator-labs/validatorctl/releases/download/v0.0.4/validator-linux-amd64 \ No newline at end of file + path: https://github.com/validator-labs/validatorctl/releases/download/v0.0.5/validator-linux-amd64 \ No newline at end of file From 6c337897871592533d84e4f54abe19e330d86a5d Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Mon, 29 Jul 2024 15:41:24 -0700 Subject: [PATCH 4/4] chore: make reviewable --- chart/validator/README.md | 2 +- chart/validator/values.yaml | 28 ++++++++++++++-------------- hauler-manifest.yaml | 30 +++++++++++++++--------------- 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/chart/validator/README.md b/chart/validator/README.md index 6eac33ae..d7669f3f 100644 --- a/chart/validator/README.md +++ b/chart/validator/README.md @@ -52,7 +52,7 @@ The following table lists the configurable parameters of the Validator chart and | `pluginSecrets.oci.auth` | Don't forget to delete these square brackets if you're specifying credentials here! | `[]` | | `pluginSecrets.oci.pubKeys` | Don't forget to delete these square brackets if you're specifying public keys here! | `[]` | | `helmConfig.repository` | | `"https://validator-labs.github.io"` | -| `plugins` | | `[{"name": "validator-plugin-azure", "version": "v0.0.13", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-azure\n tag: v0.0.13\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (e.g., WorkloadIdentity credentials)\n secret: {}\n # Specify the name of a secret in your cluster that contains Azure credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-azure.yaml\n # secretName: azure-creds\n\n # Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS)\n # WARNING: the chosen service account must include all RBAC privileges found in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"name": "validator-plugin-oci", "version": "v0.0.11", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-oci\n tag: v0.0.11\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-kubescape", "version": "v0.0.3", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-kubescape\n tag: v0.0.3\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-aws", "version": "v0.1.1", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-aws\n tag: v0.1.1\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (node instance IAM role, IAM roles for Service Accounts, etc.)\n secret: {}\n # Specify the name of a secret in your cluster that contains AWS credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-aws.yaml\n # secretName: aws-creds\n\n # Override the service account used by AWS validator (optional, could be used for IAM roles for Service Accounts)\n # WARNING: the chosen service account must have the same RBAC privileges as seen in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"name": "validator-plugin-network", "version": "v0.0.19", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - NET_RAW\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-network\n tag: v0.0.19\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-maas", "version": "v0.0.4", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-maas\n tag: v0.0.4\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-vsphere", "version": "v0.0.27", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --metrics-bind-address=127.0.0.1:8080\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-vsphere\n tag: v0.0.27\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Specify the name of a secret in your cluster that contains vSphere credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-vsphere.yaml\n secretName: vsphere-credentials"}]` | +| `plugins` | | `[{"name": "validator-plugin-azure", "version": "v0.0.14", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-azure\n tag: v0.0.14\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (e.g., WorkloadIdentity credentials)\n secret: {}\n # Specify the name of a secret in your cluster that contains Azure credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-azure.yaml\n # secretName: azure-creds\n\n # Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS)\n # WARNING: the chosen service account must include all RBAC privileges found in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"name": "validator-plugin-oci", "version": "v0.0.12", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-oci\n tag: v0.0.12\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-kubescape", "version": "v0.0.4", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-kubescape\n tag: v0.0.4\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\n # Optionally specify additional labels to use for the controller-manager Pods.\n podLabels: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-aws", "version": "v0.1.2", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-aws\n tag: v0.1.2\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Leave secret undefined for implicit auth (node instance IAM role, IAM roles for Service Accounts, etc.)\n secret: {}\n # Specify the name of a secret in your cluster that contains AWS credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-aws.yaml\n # secretName: aws-creds\n\n # Override the service account used by AWS validator (optional, could be used for IAM roles for Service Accounts)\n # WARNING: the chosen service account must have the same RBAC privileges as seen in templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"name": "validator-plugin-network", "version": "v0.0.20", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - NET_RAW\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-network\n tag: v0.0.20\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-maas", "version": "v0.0.5", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-maas\n tag: v0.0.5\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"name": "validator-plugin-vsphere", "version": "v0.0.28", "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.16.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --metrics-bind-address=127.0.0.1:8080\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/validator-labs/validator-plugin-vsphere\n tag: v0.0.28\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Specify the name of a secret in your cluster that contains vSphere credentials.\n # E.g.: https://github.com/validator-labs/validator/blob/main/chart/validator/templates/plugin-secret-vsphere.yaml\n secretName: vsphere-credentials"}]` | diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml index 918102de..36c9e958 100644 --- a/chart/validator/values.yaml +++ b/chart/validator/values.yaml @@ -191,7 +191,7 @@ helmConfig: # Validation plugin charts plugins: - name: validator-plugin-azure - version: v0.0.13 + version: v0.0.14 values: |- controllerManager: kubeRbacProxy: @@ -226,7 +226,7 @@ plugins: - ALL image: repository: quay.io/validator-labs/validator-plugin-azure - tag: v0.0.13 + tag: v0.0.14 resources: limits: cpu: 500m @@ -264,7 +264,7 @@ plugins: # WARNING: the chosen service account must include all RBAC privileges found in templates/manager-rbac.yaml serviceAccountName: "" - name: validator-plugin-oci - version: v0.0.11 + version: v0.0.12 values: |- controllerManager: kubeRbacProxy: @@ -299,7 +299,7 @@ plugins: - ALL image: repository: quay.io/validator-labs/validator-plugin-oci - tag: v0.0.11 + tag: v0.0.12 resources: limits: cpu: 500m @@ -319,7 +319,7 @@ plugins: targetPort: https type: ClusterIP - name: validator-plugin-kubescape - version: v0.0.3 + version: v0.0.4 values: |- controllerManager: kubeRbacProxy: @@ -354,7 +354,7 @@ plugins: - ALL image: repository: quay.io/validator-labs/validator-plugin-kubescape - tag: v0.0.3 + tag: v0.0.4 resources: limits: cpu: 500m @@ -382,7 +382,7 @@ plugins: targetPort: https type: ClusterIP - name: validator-plugin-aws - version: v0.1.1 + version: v0.1.2 values: |- controllerManager: kubeRbacProxy: @@ -417,7 +417,7 @@ plugins: - ALL image: repository: quay.io/validator-labs/validator-plugin-aws - tag: v0.1.1 + tag: v0.1.2 resources: limits: cpu: 500m @@ -447,7 +447,7 @@ plugins: # WARNING: the chosen service account must have the same RBAC privileges as seen in templates/manager-rbac.yaml serviceAccountName: "" - name: validator-plugin-network - version: v0.0.19 + version: v0.0.20 values: |- controllerManager: kubeRbacProxy: @@ -484,7 +484,7 @@ plugins: - ALL image: repository: quay.io/validator-labs/validator-plugin-network - tag: v0.0.19 + tag: v0.0.20 resources: limits: cpu: 500m @@ -504,7 +504,7 @@ plugins: targetPort: https type: ClusterIP - name: validator-plugin-maas - version: v0.0.4 + version: v0.0.5 values: |- controllerManager: kubeRbacProxy: @@ -539,7 +539,7 @@ plugins: - ALL image: repository: quay.io/validator-labs/validator-plugin-maas - tag: v0.0.4 + tag: v0.0.5 resources: limits: cpu: 500m @@ -559,7 +559,7 @@ plugins: targetPort: https type: ClusterIP - name: validator-plugin-vsphere - version: v0.0.27 + version: v0.0.28 values: |- controllerManager: kubeRbacProxy: @@ -595,7 +595,7 @@ plugins: - ALL image: repository: quay.io/validator-labs/validator-plugin-vsphere - tag: v0.0.27 + tag: v0.0.28 resources: limits: cpu: 500m diff --git a/hauler-manifest.yaml b/hauler-manifest.yaml index 562a98d5..05952dc2 100644 --- a/hauler-manifest.yaml +++ b/hauler-manifest.yaml @@ -5,13 +5,13 @@ metadata: spec: images: - name: quay.io/validator-labs/validator:v0.0.49 # x-release-please-version - - name: quay.io/validator-labs/validator-plugin-aws:v0.1.1 - - name: quay.io/validator-labs/validator-plugin-azure:v0.0.13 - - name: quay.io/validator-labs/validator-plugin-kubescape:v0.0.3 - - name: quay.io/validator-labs/validator-plugin-maas:v0.0.4 - - name: quay.io/validator-labs/validator-plugin-network:v0.0.19 - - name: quay.io/validator-labs/validator-plugin-oci:v0.0.11 - - name: quay.io/validator-labs/validator-plugin-vsphere:v0.0.27 + - name: quay.io/validator-labs/validator-plugin-aws:v0.1.2 + - name: quay.io/validator-labs/validator-plugin-azure:v0.0.14 + - name: quay.io/validator-labs/validator-plugin-kubescape:v0.0.4 + - name: quay.io/validator-labs/validator-plugin-maas:v0.0.5 + - name: quay.io/validator-labs/validator-plugin-network:v0.0.20 + - name: quay.io/validator-labs/validator-plugin-oci:v0.0.12 + - name: quay.io/validator-labs/validator-plugin-vsphere:v0.0.28 - name: quay.io/validator-labs/validator-certs-init:1.0.0 - name: gcr.io/spectro-images-public/release/spectro-cleanup:1.2.0 - name: kindest/node:v1.30.2 @@ -30,25 +30,25 @@ spec: version: 0.0.49 # x-release-please-version - name: validator-plugin-aws repoURL: https://validator-labs.github.io/validator-plugin-aws - version: 0.1.1 + version: 0.1.2 - name: validator-plugin-azure repoURL: https://validator-labs.github.io/validator-plugin-azure - version: 0.0.13 + version: 0.0.14 - name: validator-plugin-kubescape repoURL: https://validator-labs.github.io/validator-plugin-kubescape - version: 0.0.3 + version: 0.0.4 - name: validator-plugin-maas repoURL: https://validator-labs.github.io/validator-plugin-maas - version: 0.0.4 + version: 0.0.5 - name: validator-plugin-network repoURL: https://validator-labs.github.io/validator-plugin-network - version: 0.0.19 + version: 0.0.20 - name: validator-plugin-oci repoURL: https://validator-labs.github.io/validator-plugin-oci - version: 0.0.11 + version: 0.0.12 - name: validator-plugin-vsphere repoURL: https://validator-labs.github.io/validator-plugin-vsphere - version: 0.0.27 + version: 0.0.28 --- apiVersion: content.hauler.cattle.io/v1alpha1 kind: Files @@ -57,4 +57,4 @@ metadata: spec: files: - name: validatorctl - path: https://github.com/validator-labs/validatorctl/releases/download/v0.0.5/validator-linux-amd64 \ No newline at end of file + path: https://github.com/validator-labs/validatorctl/releases/download/v0.0.6/validator-linux-amd64 \ No newline at end of file