From b3d700487df56242925197af8dce5118cf916dc0 Mon Sep 17 00:00:00 2001 From: jlandowner Date: Fri, 10 May 2024 00:36:48 +0900 Subject: [PATCH] Fix charts and chart snapshots --- Makefile | 6 +- charts/Makefile | 4 +- ...-workspace.github.io_clusterinstances.yaml | 103 +- ...-workspace.github.io_clustertemplates.yaml | 19 +- .../cosmo-workspace.github.io_instances.yaml | 103 +- .../cosmo-workspace.github.io_templates.yaml | 19 +- .../crds/cosmo-workspace.github.io_users.yaml | 101 +- .../cosmo-workspace.github.io_workspaces.yaml | 60 +- .../test-certManager-existing-issuer.snap | 2411 ++++++++-------- ...est-controllerManager-disable-healthz.snap | 2412 ++++++++-------- ...Manager-disable-metrics-kubeRbacProxy.snap | 2406 ++++++++-------- ...est-controllerManager-disable-metrics.snap | 2352 +++++++-------- ...est-controllerManager-disable-webhook.snap | 2020 ++++++------- .../test-controllerManager-hostnetwork.snap | 2444 ++++++++-------- .../test-dashboard-disable-ingressroute.snap | 2349 +++++++-------- .../test-dashboard-enable-ldap-bind.snap | 2456 ++++++++-------- ...st-dashboard-enable-ldap-searchfilter.snap | 2456 ++++++++-------- .../test-dashboard-fixed-session-key.snap | 2440 ++++++++-------- .../__snapshots__/test-dashboard-timeout.snap | 2440 ++++++++-------- .../test/__snapshots__/test-default.snap | 2440 ++++++++-------- .../__snapshots__/test-fullnameOverride.snap | 2438 ++++++++-------- .../test/__snapshots__/test-localRunTest.snap | 2532 +++++++++-------- .../test/__snapshots__/test-logging.snap | 2444 ++++++++-------- .../test/__snapshots__/test-nameOverride.snap | 2440 ++++++++-------- .../test-podAnnotations-podLabels.snap | 2452 ++++++++-------- .../__snapshots__/test-traefik-diabled.snap | 1857 ++++++------ .../test-use-existing-serviceaccount.snap | 2390 ++++++++-------- 27 files changed, 23296 insertions(+), 22298 deletions(-) diff --git a/Makefile b/Makefile index 924d4910..78c8620b 100644 --- a/Makefile +++ b/Makefile @@ -113,9 +113,9 @@ endif .PHONY: test-all-k8s-versions test-all-k8s-versions: go manifests generate fmt vet envtest ## Run tests on targeting k8s versions. ifeq ($(QUICK_BUILD),no) - -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.26.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) - -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.25.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) - -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.24.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) + -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.30.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) + -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.29.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) + -KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use 1.28.x -p path)" $(GO) test ./... -coverprofile $(COVER_PROFILE) endif .PHONY: clear-snapshots-ui diff --git a/charts/Makefile b/charts/Makefile index ac820664..d237df9a 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -9,12 +9,12 @@ helm-dependency-update: cd cosmo; ../$(HELM) dependency update chartsnap: - go install github.com/cosmo-workspace/controller-testtools/cmd/chartsnap@latest + -helm plugin install https://github.com/jlandowner/helm-chartsnap TEST_VALUES ?= cosmo/test test: chartsnap helm helm-dependency-update - chartsnap --chart cosmo --values $(TEST_VALUES) --helm-path $(HELM) $(CHARTSNAP_OPT) + helm chartsnap -c cosmo --values $(TEST_VALUES) -n cosmo-system $(CHARTSNAP_OPT) test-list: grep -R '{{[-|] if .*}}' cosmo/templates/* | grep .Values | awk -F':' '{print $$2}' | sed -n 's/.*\(.Values[^ ]*\).*/\1/p' | tr -d ')' | sort | uniq | awk -F'.Values.' '{print $$2}' > cosmo/test/if-values.list diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml index 97e5a574..cb617ffb 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_clusterinstances.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clusterinstances.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: ClusterInstance is the Schema for the instances API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,35 +68,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a - valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container - that triggered the event) or if no container name - is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to - have some well-defined way of referencing a part of - an object. TODO: this design is not final and this - field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this - reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -130,33 +140,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml index 201282d3..3b4f2614 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_clustertemplates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clustertemplates.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -26,14 +26,19 @@ spec: description: ClusterTemplate is the Schema for the Templates API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml index 1474edcb..ace8fe1b 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_instances.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: instances.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: Instance is the Schema for the instances API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,35 +68,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a - valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container - that triggered the event) or if no container name - is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to - have some well-defined way of referencing a part of - an object. TODO: this design is not final and this - field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this - reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -130,33 +140,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml index 3030efd3..d639d211 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_templates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: templates.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -26,14 +26,19 @@ spec: description: Template is the Schema for the Templates API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml index e560de31..552983ba 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_users.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: users.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -36,14 +36,19 @@ spec: description: User is the Schema for the workspaces API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -98,33 +103,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -140,33 +152,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml b/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml index c938d789..fed0aa5e 100644 --- a/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml +++ b/charts/cosmo/crds/cosmo-workspace.github.io_workspaces.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: workspaces.cosmo-workspace.github.io spec: group: cosmo-workspace.github.io @@ -29,14 +29,19 @@ spec: description: Workspace is the Schema for the workspaces API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -110,33 +115,40 @@ spec: format: date-time type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap b/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap index 3ddf38a8..9f134abe 100644 --- a/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap +++ b/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap @@ -1,1192 +1,1241 @@ -[test-certManager-existing-issuer] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: ClusterIssuer - name: test - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: ClusterIssuer - name: test - secretName: webhook-server-cert -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: ClusterIssuer + name: test + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: ClusterIssuer + name: test + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap index c95a4480..0167bb1f 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-healthz.snap @@ -1,1192 +1,1242 @@ -[test-controllerManager-disable-healthz] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=0 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=0 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap index 795f09ef..94a28218 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics-kubeRbacProxy.snap @@ -1,1189 +1,1239 @@ -[test-controllerManager-disable-metrics-kubeRbacProxy] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8080 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=0.0.0.0:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 8080 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8080 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0.0.0.0:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service + - containerPort: 9443 + name: webhook-server + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' spec: - ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap index 1f6227f1..c0092305 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-metrics.snap @@ -1,1163 +1,1211 @@ -[test-controllerManager-disable-metrics] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=0 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: + ports: + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=0 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: cosmo-auth - namespace: testns + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: - ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap index 391fa998..4f8df1f6 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-disable-webhook.snap @@ -1,997 +1,1045 @@ -[test-controllerManager-disable-webhook] -SnapShot = """ -- object: - apiVersion: apps/v1 - kind: Deployment +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: null - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' diff --git a/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap b/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap index 49ed94bc..1cbe1551 100644 --- a/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap +++ b/charts/cosmo/test/__snapshots__/test-controllerManager-hostnetwork.snap @@ -1,1208 +1,1258 @@ -[test-controllerManager-hostnetwork] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9999 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9999 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9999 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9999 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9999 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9999 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9999 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9999 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap b/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap index f1cc788d..fe76e54d 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-disable-ingressroute.snap @@ -1,1161 +1,1210 @@ -[test-dashboard-disable-ingressroute] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cDovL2Rhc2hib2FyZC5leGFtcGxlLmNvbS8jL3NpZ25pbg==" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: http +spec: + type: LoadBalancer + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --insecure - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTP - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: null - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: null -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cDovL2Rhc2hib2FyZC5leGFtcGxlLmNvbS8jL3NpZ25pbg== - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: http - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: LoadBalancer -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --insecure + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap index b0c6b3c9..478d56e0 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-bind.snap @@ -1,1214 +1,1264 @@ -[test-dashboard-enable-ldap-bind] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - - --ldap-url=ldap://example.com:389 - - --ldap-insecure-skip-verify=false - - --ldap-start-tls=false - - --ldap-binddn= - - --ldap-search-binddn= - - --ldap-search-password= - - --ldap-search-basedn= - - --ldap-search-filter= - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + - --ldap-url=ldap://example.com:389 + - --ldap-insecure-skip-verify=false + - --ldap-start-tls=false + - --ldap-binddn= + - --ldap-search-binddn= + - --ldap-search-password= + - --ldap-search-basedn= + - --ldap-search-filter= + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap index 255186db..54acff55 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-enable-ldap-searchfilter.snap @@ -1,1214 +1,1264 @@ -[test-dashboard-enable-ldap-searchfilter] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - - --ldap-url=ldap://example.com:389 - - --ldap-insecure-skip-verify=false - - --ldap-start-tls=false - - --ldap-binddn= - - --ldap-search-binddn=cn=admin,dc=cosmo,dc=io - - --ldap-search-password=pass - - --ldap-search-basedn=dc=cosmo,dc=io - - --ldap-search-filter=(uid=%s) - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + - --ldap-url=ldap://example.com:389 + - --ldap-insecure-skip-verify=false + - --ldap-start-tls=false + - --ldap-binddn= + - --ldap-search-binddn=cn=admin,dc=cosmo,dc=io + - --ldap-search-password=pass + - --ldap-search-basedn=dc=cosmo,dc=io + - --ldap-search-filter=(uid=%s) + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap b/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap index ad00bb46..9092c58d 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-fixed-session-key.snap @@ -1,1206 +1,1256 @@ -[test-dashboard-fixed-session-key] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: hash_key + COOKIE_BLOCKKEY: block_key + COOKIE_SESSION_NAME: sess_name +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: block_key - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: hash_key - COOKIE_SESSION_NAME: sess_name - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: false - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap b/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap index 8ae13db0..057666f7 100644 --- a/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap +++ b/charts/cosmo/test/__snapshots__/test-dashboard-timeout.snap @@ -1,1206 +1,1256 @@ -[test-dashboard-timeout] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=90 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=600 - - --timeout-seconds=300 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=90 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=600 + - --timeout-seconds=300 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-default.snap b/charts/cosmo/test/__snapshots__/test-default.snap index 848ba3e3..91453feb 100644 --- a/charts/cosmo/test/__snapshots__/test-default.snap +++ b/charts/cosmo/test/__snapshots__/test-default.snap @@ -1,1206 +1,1256 @@ -[test-default] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap b/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap index 91c2213f..1cb96042 100644 --- a/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap +++ b/charts/cosmo/test/__snapshots__/test-fullnameOverride.snap @@ -1,1206 +1,1256 @@ -[test-fullnameOverride] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tae-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tae-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tae-cosmo-system +subjects: +- kind: ServiceAccount + name: tae + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 + serviceAccountName: tae + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent name: tae - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/tae - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: tae - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: tae - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tae-testns - subjects: - - kind: ServiceAccount - name: tae - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns - spec: + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/tae" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: tae +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: tae-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: tae - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-localRunTest.snap b/charts/cosmo/test/__snapshots__/test-localRunTest.snap index a74a4261..99d15b29 100644 --- a/charts/cosmo/test/__snapshots__/test-localRunTest.snap +++ b/charts/cosmo/test/__snapshots__/test-localRunTest.snap @@ -1,1251 +1,1303 @@ -[test-localRunTest] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + - name: cosmo-dashboard-ui-server + port: 3000 + protocol: TCP + targetPort: 3000 +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/@`,`/src`,`/manifest.json`,`/node_modules`,`/logo`)) - priority: 1002 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-ui-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - kind: Endpoints - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - subsets: - - addresses: - - ip: 127.0.0.1 - ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - - name: cosmo-dashboard-ui-server - port: 3000 - protocol: TCP -- object: - apiVersion: v1 - kind: Endpoints - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - subsets: - - addresses: - - ip: 127.0.0.1 - ports: - - port: 9443 - protocol: TCP -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - - name: cosmo-dashboard-ui-server - port: 3000 - protocol: TCP - targetPort: 3000 - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Endpoints +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +subsets: +- addresses: + - ip: 127.0.0.1 + ports: + - port: 9443 + protocol: TCP +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Endpoints +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +subsets: +- addresses: + - ip: 127.0.0.1 + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + - name: cosmo-dashboard-ui-server + port: 3000 + protocol: TCP +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/@`) || PathPrefix(`/src`) || PathPrefix(`/manifest.json`) || PathPrefix(`/node_modules`) || PathPrefix(`/logo`)) + priority: 1002 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-ui-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-logging.snap b/charts/cosmo/test/__snapshots__/test-logging.snap index 938d0599..b9500b70 100644 --- a/charts/cosmo/test/__snapshots__/test-logging.snap +++ b/charts/cosmo/test/__snapshots__/test-logging.snap @@ -1,1208 +1,1258 @@ -[test-logging] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=debug - - --zap-time-encoding=iso8601 - - --zap-devel=true - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=debug - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --zap-devel=true - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=debug + - --zap-time-encoding=iso8601 + - --zap-devel=true + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=debug + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --zap-devel=true + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-nameOverride.snap b/charts/cosmo/test/__snapshots__/test-nameOverride.snap index ff6b270e..4035c938 100644 --- a/charts/cosmo/test/__snapshots__/test-nameOverride.snap +++ b/charts/cosmo/test/__snapshots__/test-nameOverride.snap @@ -1,1206 +1,1256 @@ -[test-nameOverride] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-tae-cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-tae-cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-tae-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-tae + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-tae + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: tae - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-tae - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-tae - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-tae - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-tae-testns - subjects: - - kind: ServiceAccount - name: testrelease-tae - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-tae + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-tae + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-tae" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: tae - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-tae +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-tae-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: tae + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: tae - helm.sh/chart: traefik-23.0.1 - name: testrelease-tae - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap b/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap index 92145e7d..89bd1a71 100644 --- a/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap +++ b/charts/cosmo/test/__snapshots__/test-podAnnotations-podLabels.snap @@ -1,1212 +1,1262 @@ -[test-podAnnotations-podLabels] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - annotations: - test-ann: hello - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - test-label: world - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - annotations: - test-ann: hello - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - test-label: world - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + test-label: world + annotations: + test-ann: hello spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + test-label: world + annotations: + test-ann: hello spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap b/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap index fb8f3791..e48e4ee2 100644 --- a/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap +++ b/charts/cosmo/test/__snapshots__/test-traefik-diabled.snap @@ -1,923 +1,952 @@ -[test-traefik-diabled] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: cosmo-controller-manager + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=traefik - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: cosmo-controller-manager - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: cosmo-dashboard - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=traefik + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: cosmo-controller-manager + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: cosmo-dashboard + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' spec: - ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service - metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: - ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns -- object: - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns -""" + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None diff --git a/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap b/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap index 9a32d45c..a35f45f2 100644 --- a/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap +++ b/charts/cosmo/test/__snapshots__/test-use-existing-serviceaccount.snap @@ -1,1182 +1,1230 @@ -[test-use-existing-serviceaccount] -SnapShot = """ -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration +# chartsnap: snapshot_version=v3 +--- +# Source: cosmo/charts/traefik/templates/rbac/serviceaccount.yaml +kind: ServiceAccount +apiVersion: v1 +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +--- +# Source: cosmo/templates/auth-env-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosmo-auth-env + namespace: "cosmo-system" +immutable: false +data: + COOKIE_DOMAIN: "ZXhhbXBsZS5jb20=" + SIGNIN_URL: "aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4=" + # fetch current secret and get values + # currentData=map[] + COOKIE_HASHKEY: "###DYNAMIC_FIELD###" + COOKIE_BLOCKKEY: "###DYNAMIC_FIELD###" + COOKIE_SESSION_NAME: "###DYNAMIC_FIELD###" +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 04c57811.cosmo-workspace.github.io +kind: ConfigMap +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-config + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard +rules: +- apiGroups: + - '' + resources: + - namespaces + - secrets + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - patch + - update + - get + - list + - watch + - bind +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces + - users + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - workspaces/status + - users/status + verbs: + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances + - templates + - clusterinstances + - clustertemplates + verbs: + - create + - delete + - patch + - update + - get + - list + - watch +- apiGroups: + - cosmo-workspace.github.io + resources: + - instances/status + verbs: + - get + - list + - watch +--- +# Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: chartsnap-traefik-cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-traefik-cosmo-system +subjects: +- kind: ServiceAccount + name: chartsnap-traefik + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-manager-role +subjects: +- kind: ServiceAccount + name: test + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-proxy-role +subjects: +- kind: ServiceAccount + name: test + namespace: cosmo-system +--- +# Source: cosmo/templates/dashboard/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cosmo-dashboard +subjects: +- kind: ServiceAccount + name: cosmo-dashboard + namespace: cosmo-system +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-role + namespace: cosmo-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: cosmo/templates/controller-manager/roles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-leader-election-rolebinding + namespace: cosmo-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cosmo-leader-election-role +subjects: +- kind: ServiceAccount + name: test + namespace: cosmo-system +--- +# Source: cosmo/charts/traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + ports: + - port: 80 + name: "web" + targetPort: web + protocol: TCP + - port: 443 + name: "websecure" + targetPort: websecure + protocol: TCP +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager-metrics-service + namespace: cosmo-system +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-service + namespace: cosmo-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + type: ClusterIP + ports: + - name: cosmo-dashboard-server + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo +--- +# Source: cosmo/charts/traefik/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: chartsnap-traefik + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-mutating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: minstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: mclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: muser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: mworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - annotations: - cert-manager.io/inject-ca-from: testns/cosmo-webhook-cert - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-validating-webhook-configuration - webhooks: - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vclusterinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - clusterinstances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-instance - failurePolicy: Fail - name: vinstance.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - instances - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-user - failurePolicy: Fail - name: vuser.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - users - sideEffects: None - - admissionReviewVersions: - - v1 - - v1alpha1 - clientConfig: - caBundle: Cg== - service: - name: cosmo-webhook-service - namespace: testns - path: /validate-cosmo-workspace-github-io-v1alpha1-workspace - failurePolicy: Fail - name: vworkspace.kb.io - rules: - - apiGroups: - - cosmo-workspace.github.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - workspaces - sideEffects: None -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager - spec: - affinity: {} - containers: - - args: - - --port=9443 - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --traefik-entrypoints=web,websecure - - --traefik-authen-middleware=cosmo-auth - - --traefik-authen-middleware-namespace=cosmo-system - - --traefik-username-header-middleware=cosmo-username-headers - - --workspace-urlbase-protocol=https - - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} - - --workspace-urlbase-domain=example.com - command: - - /manager - image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - imagePullPolicy: IfNotPresent - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - imagePullSecrets: [] - nodeSelector: {} - securityContext: - runAsNonRoot: true - serviceAccountName: test - terminationGracePeriodSeconds: 10 - tolerations: [] - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - template: - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - spec: - containers: - - args: - - --port=8443 - - --maxage-minutes=720 - - --zap-log-level=info - - --zap-time-encoding=iso8601 - - --cookie-domain=$(COOKIE_DOMAIN) - - --cookie-hashkey=$(COOKIE_HASHKEY) - - --cookie-blockkey=$(COOKIE_BLOCKKEY) - - --cookie-session-name=$(COOKIE_SESSION_NAME) - - --graceful-shutdown-seconds=10 - - --timeout-seconds=5 - - --tls-key=/app/cert/tls.key - - --tls-cert=/app/cert/tls.crt - command: - - /app/dashboard - envFrom: - - secretRef: - name: cosmo-auth-env - image: ghcr.io/cosmo-workspace/cosmo-dashboard:v0.10.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 20 - name: dashboard - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 20Mi - securityContext: {} - volumeMounts: - - mountPath: /app/cert - name: cert - readOnly: true - securityContext: {} - serviceAccountName: test - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: dashboard-server-cert -- object: - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system - spec: - minReadySeconds: 0 - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: \"9100\" - prometheus.io/scrape: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - spec: - containers: - - args: - - --global.sendanonymoususage - - --serversTransport.insecureSkipVerify=true - - --entrypoints.metrics.address=:9100/tcp - - --entrypoints.traefik.address=:9000/tcp - - --entrypoints.web.address=:8000/tcp - - --entrypoints.websecure.address=:8443/tcp - - --api.dashboard=true - - --ping=true - - --metrics.prometheus=true - - --metrics.prometheus.entrypoint=metrics - - --providers.kubernetescrd - - --providers.kubernetescrd.allowCrossNamespace=true - - --providers.kubernetesingress - - --providers.kubernetesingress.ingressendpoint.publishedservice=testns/testrelease-traefik - - --entrypoints.websecure.http.tls=true - - --experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth - envFrom: - - secretRef: - name: cosmo-auth-env - image: docker.io/traefik:v2.10.1 - imagePullPolicy: IfNotPresent - lifecycle: null - livenessProbe: - failureThreshold: 3 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - name: testrelease-traefik - ports: - - containerPort: 9100 - name: metrics - protocol: TCP - - containerPort: 9000 - name: traefik - protocol: TCP - - containerPort: 8000 - name: web - protocol: TCP - - containerPort: 8443 - name: websecure - protocol: TCP - readinessProbe: - failureThreshold: 1 - httpGet: - path: /ping - port: 9000 - scheme: HTTP - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - resources: null - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - - mountPath: /plugins-storage - name: plugins - - mountPath: /plugins-local - name: local-plugins - hostNetwork: false - initContainers: - - command: - - sh - - -c - - cp -r /plugins-local/* /local-plugins/ - image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest - imagePullPolicy: IfNotPresent - name: copy-plugins - volumeMounts: - - mountPath: /local-plugins - name: local-plugins - securityContext: - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: testrelease-traefik - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - - emptyDir: {} - name: local-plugins - - emptyDir: {} - name: plugins -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-cert - namespace: testns - spec: - dnsNames: - - cosmo-dashboard.testns.svc - - cosmo-dashboard.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: dashboard-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-cert - namespace: testns - spec: - dnsNames: - - cosmo-webhook-service.testns.svc - - cosmo-webhook-service.testns.svc.cluster.local - issuerRef: - kind: Issuer - name: cosmo-selfsigned-issuer - secretName: webhook-server-cert -- object: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-selfsigned-issuer - namespace: testns - spec: - selfSigned: {} -- object: - apiVersion: cosmo-workspace.github.io/v1alpha1 - kind: Template - metadata: - annotations: - cosmo-workspace.github.io/disable-nameprefix: \"true\" - useraddon.cosmo-workspace.github.io/default: \"true\" - creationTimestamp: null - labels: - cosmo-workspace.github.io/type: useraddon - name: cosmo-username-headers - spec: - description: Traefik middleware for user authorization. DO NOT EDIT - rawYaml: | - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - labels: - cosmo-workspace.github.io/instance: '{{INSTANCE}}' - cosmo-workspace.github.io/template: '{{TEMPLATE}}' - name: cosmo-username-headers - namespace: '{{NAMESPACE}}' - spec: - headers: - customRequestHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' - customResponseHeaders: - X-Cosmo-UserName: '{{USER_NAME}}' -- object: - apiVersion: networking.k8s.io/v1 - kind: IngressClass - metadata: - annotations: - ingressclass.kubernetes.io/is-default-class: \"true\" - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - spec: - controller: traefik.io/ingress-controller -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - rules: - - apiGroups: - - \"\" - resources: - - namespaces - - secrets - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - bind - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces - - users - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - workspaces/status - - users/status - verbs: - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances - - templates - - clusterinstances - - clustertemplates - verbs: - - create - - delete - - patch - - update - - get - - list - - watch - - apiGroups: - - cosmo-workspace.github.io - resources: - - instances/status - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-role - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-metrics-reader - rules: - - nonResourceURLs: - - /metrics - verbs: - - get -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-role - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - rules: - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - \"\" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.io - - traefik.containo.us - resources: - - ingressroutes - - ingressroutetcps - - ingressrouteudps - - middlewares - - middlewaretcps - - tlsoptions - - tlsstores - - traefikservices - - serverstransports - verbs: - - get - - list - - watch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-dashboard - subjects: - - kind: ServiceAccount - name: cosmo-dashboard - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-manager-role - subjects: - - kind: ServiceAccount - name: test - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-proxy-rolebinding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cosmo-proxy-role - subjects: - - kind: ServiceAccount - name: test - namespace: testns -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: testrelease-traefik-testns - subjects: - - kind: ServiceAccount - name: testrelease-traefik - namespace: cosmo-system -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-role - namespace: testns - rules: - - apiGroups: - - \"\" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - \"\" - resources: - - events - verbs: - - create - - patch -- object: - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-leader-election-rolebinding - namespace: testns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cosmo-leader-election-role - subjects: - - kind: ServiceAccount - name: test - namespace: testns -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns - spec: - entryPoints: - - web - - websecure - routes: - - kind: Rule - match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`,`/assets/`,`/dashboard.v1alpha1.AuthService/`)) - priority: 1001 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https - - kind: Rule - match: Host(`dashboard.example.com`) - middlewares: - - name: cosmo-auth - priority: 1000 - services: - - kind: Service - name: cosmo-dashboard - namespace: testns - port: cosmo-dashboard-server - scheme: https -- object: - apiVersion: traefik.io/v1alpha1 - kind: IngressRoute - metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik-dashboard - namespace: cosmo-system - spec: - entryPoints: - - traefik - routes: - - kind: Rule - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - services: - - kind: TraefikService - name: api@internal -- object: - apiVersion: traefik.io/v1alpha1 - kind: Middleware - metadata: - name: cosmo-auth - namespace: testns - spec: - plugin: - cosmoauth: - cookieBlockKey: ${COOKIE_BLOCKKEY} - cookieDomain: ${COOKIE_DOMAIN} - cookieHashKey: ${COOKIE_HASHKEY} - cookieSessionName: ${COOKIE_SESSION_NAME} - logLevel: DEBUG - signInUrl: ${SIGNIN_URL} -- object: - apiVersion: v1 - data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 04c57811.cosmo-workspace.github.io - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-manager-config - namespace: testns -- object: - apiVersion: v1 - data: - COOKIE_BLOCKKEY: '###DYNAMIC_FIELD###' - COOKIE_DOMAIN: ZXhhbXBsZS5jb20= - COOKIE_HASHKEY: '###DYNAMIC_FIELD###' - COOKIE_SESSION_NAME: '###DYNAMIC_FIELD###' - SIGNIN_URL: aHR0cHM6Ly9kYXNoYm9hcmQuZXhhbXBsZS5jb20vIy9zaWduaW4= - immutable: true - kind: Secret - metadata: - name: cosmo-auth-env - namespace: testns -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-controller-manager-metrics-service - namespace: testns + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "9100" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm spec: + serviceAccountName: chartsnap-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + initContainers: + - command: + - sh + - -c + - cp -r /plugins-local/* /local-plugins/ + image: ghcr.io/cosmo-workspace/cosmo-traefik-plugins:latest + imagePullPolicy: IfNotPresent + name: copy-plugins + volumeMounts: + - mountPath: /local-plugins + name: local-plugins + containers: + - image: docker.io/traefik:v3.0.0 + imagePullPolicy: IfNotPresent + name: chartsnap-traefik + resources: + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + lifecycle: ports: - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - name: "metrics" + containerPort: 9100 + protocol: "TCP" + - name: "traefik" + containerPort: 9000 + protocol: "TCP" + - name: "web" + containerPort: 8000 + protocol: "TCP" + - name: "websecure" + containerPort: 8443 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - mountPath: /plugins-local + name: local-plugins + - mountPath: /plugins-storage + name: plugins + args: + - "--global.sendanonymoususage" + - "--serversTransport.insecureSkipVerify=true" + - "--entryPoints.metrics.address=:9100/tcp" + - "--entryPoints.traefik.address=:9000/tcp" + - "--entryPoints.web.address=:8000/tcp" + - "--entryPoints.websecure.address=:8443/tcp" + - "--api.dashboard=true" + - "--ping=true" + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint=metrics" + - "--providers.kubernetescrd" + - "--providers.kubernetescrd.allowCrossNamespace=true" + - "--providers.kubernetesingress" + - "--providers.kubernetesingress.ingressendpoint.publishedservice=cosmo-system/chartsnap-traefik" + - "--entryPoints.websecure.http.tls=true" + - "--log.level=INFO" + - "--experimental.localPlugins.cosmoauth.modulename=github.com/cosmo-workspace/cosmoauth" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: cosmo-auth-env + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + - emptyDir: {} + name: local-plugins + - emptyDir: {} + name: plugins + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +--- +# Source: cosmo/templates/controller-manager/manager.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-controller-manager + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: - traefik.ingress.kubernetes.io/service.serversscheme: https - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-dashboard - namespace: testns + labels: + cosmo-workspace.github.io: controller-manager + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=9443 + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --traefik-entrypoints=web,websecure + - --traefik-authen-middleware=cosmo-auth + - --traefik-authen-middleware-namespace=cosmo-system + - --traefik-username-header-middleware=cosmo-username-headers + - --workspace-urlbase-protocol=https + - --workspace-urlbase-host={{NETRULE}}-{{WORKSPACE}}-{{USER}} + - --workspace-urlbase-domain=example.com + command: + - /manager + image: ghcr.io/cosmo-workspace/cosmo-controller-manager:v1.0.0-rc5 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + name: manager ports: - - name: cosmo-dashboard-server - port: 8443 - protocol: TCP - targetPort: 8443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: dashboard - type: ClusterIP -- object: - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: cosmo - app.kubernetes.io/version: v0.10.0 - helm.sh/chart: cosmo-0.10.0 - name: cosmo-webhook-service - namespace: testns - spec: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + imagePullPolicy: IfNotPresent + name: kube-rbac-proxy ports: - - port: 443 - targetPort: 9443 - selector: - app.kubernetes.io/instance: testrelease - app.kubernetes.io/name: cosmo - cosmo-workspace.github.io: controller-manager -- object: - apiVersion: v1 - kind: Service + - containerPort: 8443 + name: https + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: test + terminationGracePeriodSeconds: 10 + imagePullSecrets: [] + nodeSelector: {} + affinity: {} + tolerations: [] + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/dashboard.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard + namespace: cosmo-system +spec: + replicas: 1 + selector: + matchLabels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + template: metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system + labels: + cosmo-workspace.github.io: dashboard + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo spec: + containers: + - args: + - --port=8443 + - --maxage-minutes=720 + - --zap-log-level=info + - --zap-time-encoding=iso8601 + - --cookie-domain=$(COOKIE_DOMAIN) + - --cookie-hashkey=$(COOKIE_HASHKEY) + - --cookie-blockkey=$(COOKIE_BLOCKKEY) + - --cookie-session-name=$(COOKIE_SESSION_NAME) + - --signin-url=$(SIGNIN_URL) + - --graceful-shutdown-seconds=10 + - --timeout-seconds=5 + - --tls-key=/app/cert/tls.key + - --tls-cert=/app/cert/tls.crt + command: + - /app/dashboard + image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5" + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 20 + name: dashboard + envFrom: + - secretRef: + name: cosmo-auth-env ports: - - name: web - port: 80 - protocol: TCP - targetPort: web - - name: websecure - port: 443 - protocol: TCP - targetPort: websecure - selector: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/name: traefik - type: LoadBalancer -- object: - apiVersion: v1 - kind: ServiceAccount + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: {} + volumeMounts: + - mountPath: /app/cert + name: cert + readOnly: true + securityContext: {} + serviceAccountName: test + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/ingressclass.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm + name: chartsnap-traefik +spec: + controller: traefik.io/ingress-controller +--- +# Source: cosmo/templates/controller-manager/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-webhook-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-webhook-service.cosmo-system.svc + - cosmo-webhook-service.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: webhook-server-cert +--- +# Source: cosmo/templates/dashboard/cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-dashboard-cert + namespace: cosmo-system +spec: + dnsNames: + - cosmo-dashboard.cosmo-system.svc + - cosmo-dashboard.cosmo-system.svc.cluster.local + issuerRef: + kind: Issuer + name: cosmo-selfsigned-issuer + secretName: dashboard-server-cert +--- +# Source: cosmo/charts/traefik/templates/dashboard-ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: chartsnap-traefik-dashboard + namespace: cosmo-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: chartsnap-cosmo-system + helm.sh/chart: traefik-28.0.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +--- +# Source: cosmo/templates/dashboard/ingressroute.yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: cosmo-dashboard + namespace: cosmo-system + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - web + - websecure + routes: + - kind: Rule + match: Host(`dashboard.example.com`) && (Path(`/`) || PathPrefix(`/logo`) || PathPrefix(`/assets/`) || PathPrefix(`/dashboard.v1alpha1.AuthService/`) || PathPrefix(`/dashboard.v1alpha1.WebAuthnService/`)) + priority: 1001 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + - kind: Rule + match: Host(`dashboard.example.com`) + priority: 1000 + services: + - kind: Service + name: cosmo-dashboard + namespace: cosmo-system + port: cosmo-dashboard-server + scheme: https + middlewares: + - name: cosmo-auth +--- +# Source: cosmo/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-selfsigned-issuer + namespace: cosmo-system +spec: + selfSigned: {} +--- +# Source: cosmo/templates/cosmo-auth-middleware.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: cosmo-auth + namespace: "cosmo-system" +spec: + plugin: + cosmoauth: + logLevel: DEBUG + cookieSessionName: "${COOKIE_SESSION_NAME}" + cookieDomain: "${COOKIE_DOMAIN}" + cookieHashKey: "${COOKIE_HASHKEY}" + cookieBlockKey: "${COOKIE_BLOCKKEY}" + signInUrl: "${SIGNIN_URL}" +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: minstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: mclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: muser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /mutate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: mworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None +--- +# Source: cosmo/templates/cosmo-username-headers-addon.yaml +apiVersion: cosmo-workspace.github.io/v1alpha1 +kind: Template +metadata: + annotations: + cosmo-workspace.github.io/disable-nameprefix: "true" + useraddon.cosmo-workspace.github.io/default: "true" + creationTimestamp: null + labels: + cosmo-workspace.github.io/type: useraddon + name: cosmo-username-headers +spec: + description: Traefik middleware for user authorization. DO NOT EDIT + rawYaml: | + apiVersion: traefik.io/v1alpha1 + kind: Middleware metadata: - annotations: null - labels: - app.kubernetes.io/instance: testrelease-testns - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: traefik - helm.sh/chart: traefik-23.0.1 - name: testrelease-traefik - namespace: cosmo-system -""" + labels: + cosmo-workspace.github.io/instance: '{{INSTANCE}}' + cosmo-workspace.github.io/template: '{{TEMPLATE}}' + name: cosmo-username-headers + namespace: '{{NAMESPACE}}' + spec: + headers: + customRequestHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' + customResponseHeaders: + X-Cosmo-UserName: '{{USER_NAME}}' +--- +# Source: cosmo/templates/controller-manager/webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cosmo-system/cosmo-webhook-cert + labels: + helm.sh/chart: cosmo-1.0.0-rc5 + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: cosmo + app.kubernetes.io/version: "v1.0.0-rc5" + app.kubernetes.io/managed-by: Helm + name: cosmo-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vclusterinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusterinstances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-instance + failurePolicy: Fail + name: vinstance.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - instances + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-user + failurePolicy: Fail + name: vuser.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - users + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + caBundle: Cg== + service: + name: cosmo-webhook-service + namespace: cosmo-system + path: /validate-cosmo-workspace-github-io-v1alpha1-workspace + failurePolicy: Fail + name: vworkspace.kb.io + rules: + - apiGroups: + - cosmo-workspace.github.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - workspaces + sideEffects: None